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1 Introduction 


1.1 Purpose of this document 


The SuSE Linux Enterprise Server (SLES) distribution is designed to provide a secure and reliable operating system 
for a variety of purposes. Because security requirements obviously depend on the applications and environment, it is 
not possible to simply certify that the system is ”secure” - a more precise definition is needed. 


The Common Criteria (CC) provides a widely recognized methodology for security certifications. A CC evaluation is 
fundamentally a two-step process, consisting of defining the "security target” which describes the features that are to 
be evaluated, and then testing and verifying that the system actually implements these features with a sufficient level 
of assurance. 


This document is a security guide that explains how to set up the evaluated configuration, and provides information 
to administrators and ordinary users to ensure secure operation of the system. It is intended to be self-contained in 
addressing the most important issues at a high level, and refers to other existing documentation where more details 
are needed. The usual convention of referring to manual pages is used, i.e. /s(1) implies running the man -S 1 1s 
command (usually, —S and the section number may be omitted). 


The document primarily addresses administrators, but the section ”Security guidelines for users” is intended for ordi- 
nary users of the system as well as administrators. 


Knowledge of the Common Criteria is not required for readers of this document. 


1.2 How to use this document 


The key words MUST”, ”MUST NOT”, ”REOUIRED”, SHALL”, "SHALL NOT”, "SHOULD”, "SHOULD NOT”, 
”RECOMMENDED”, ”MAY”, and ”OPTIONAL” in this document are to be interpreted as described in RFC 2119 
<http://www.ietf.org/rfc/rfc2119.txt>. 


Note that the terms ”SHOULD” and "SHOULD NOT” are avoided in this document. Requirements are either absolute 
(and marked with MUST and equivalent terms), or entirely optional (in the sense of not affecting required security 
functions) and marked with RECOMMENDED, MAY or OPTIONAL. 


If you follow the requirements in this document when setting up and using the system, your configuration will match 
the evaluated configuration. Certain configuration options are marked as OPTIONAL and you MAY modify them 
as needed, but you MUST NOT do other changes, because they will make the system fail to match the evaluated 
configuration. 


Of course, you MUST always use common sense. This document is not a formal specification, and legitimate reasons 
may exist to modify the system setup in ways not described here if that is necessary for the system to fulfill its intended 
purpose. Specifically, applying security patches released by the vendor is strongly RECOMMENDED even though that 
will cause a deviation from the evaluated configuration. 


In cases where the requirements and recommendations in this document conflict with those in other sources (i.e. the 
online documentation), the information in this Security Guide has higher precedence. You MUST follow the steps 
described here to reach the evaluated configuration, even if other documentation describes different methods. 


1.3 What is a CC compliant System? 


A system can be considered to be ”CC compliant” if it matches an evaluated and certified configuration. This implies 
various requirements concerning hardware and software, as well as requirements concerning the operating environment 
and users and the ongoing operating procedures. 


Strictly speaking, an evaluation according to the CC represents the results of investigation of the security properties of 
the target system according to defined guidelines. It should not be considered as a guarantee for fitness for any specific 
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purpose, but should provide help in deciding the suitability of the system considering how well the intended use fits 
the described capabilities, and will provide a level of assurance about the security functions that have been examined 
by a neutral third party. 


1.3.1 Hardware requirements 


The hardware MUST be the one of the following IBM system: 
xSeries 335 (x86) 
pSeries 630 (ppc 64-bit kernel) 
iSeries 825 (ppc 64-bit kernel) 
zSeries 900 (s390 31-bit kernel) 
eServer 325 (x86_64 opteron) 


Running the certified software on other similar hardware may result in an equivalent security level, but the certification 
does not apply if the hardware is different from that used for the testing processes during the evaluation. 


1.3.2 Software requirements 


The software MUST match the evaluated configuration. In the case of an operating system, this also requires that the 
installed kernel, system and application software are the same. The documentation (including this guide) will specify 
permitted variations, such as modifying certain configuration files and settings, and installing software that does not 
have the capability to affect the security of the system (typically those that do not require ’root’ privileges). 


1.3.3 Environmental requirements 


Stated requirements concerning the operating environment MUST be met. Typical requirements include a secure 
location for the hardware (protected from physical access by unauthorized persons), as well as restrictions concerning 
permitted network connections. 


1.3.4 Operational requirements 


The operation of the system MUST be in agreement with defined organizational security policies, to ensure that actions 
by administrators and users do not undermine the system's security. 


1.4 Requirements for the system’s environment 


The security target covers one or more systems running SLES, networked in a non-hostile network, with a well- 
managed and non-hostile user community. It is not intended to address the needs of an Internet-connected server, or 
the case where services are to be provided to potentially hostile users. 


All network cabling MUST be secure and protected from tapping and other modifications. We require a secure network 
for the evaluated configuration because an examination of cryptographic protocols was beyond the evaluation’s scope. 
Of course, the OpenSSH suite of tools are also in use in hostile environments, but this evaluation makes no assumptions 
about their security properties in such scenarios. Only the password authentication functionality offered by OpenSSH 
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1s covered here, other authentication methods (such as public key authentication, Kerberos etc.) are not supported in 
the evaluated configuration. 


You MUST set up the server (or servers) in a physically secure environment, where they are protected from theft and 
manipulation by unauthorized persons. 


All components in the network such as routers, switches and hubs that are used for communication are assumed to 
pass the user data reliably and without modification. Translations on protocols elements (1.e. NAT) are allowed as long 
as those modifications do not lead to a situation where information is routed to somebody other than the intended 
recipient system. 


Be aware that information passed to another system leaves the control of the sending system, and therefore the protec- 
tion of this information against unauthorized access needs to be enforced by the receiving system. If an organization 
wants to implement a consistent security policy covering multiple systems on a network, organizational procedures 
MUST ensure that all those systems can be trusted and are configured with compatible security configurations en- 
forcing an organization wide security policy. How to do this is beyond the scope of this Security Guide. If you set 
up a communication link to a system outside your control, please keep in mind that you will not able to enforce any 
security policy for any information you pass to such a system over the communication link or in other ways (1.e. by 
using removable storage media). 


Every person that has the ability to perform administrative actions by switching to root has full control over the system 
and could either by accident or deliberately undermine the security of the system and bring it into an insecure state. 
This Security Guide provides the basic guidance how to set up and operate the system securely but is not intended 
to be the sole information required for a system administrator to learn how to operate Linux securely. It is assumed 
within this Security Guide that administrators who use this guide have a good knowledge and understanding of oper- 
ating security principles in general and of Linux administrative commands and configuration options in particular. We 
strongly advise that an organization that wants to operate the system in the evaluated configuration nevertheless have 
their administrators trained in operating system security principles and SuSE Linux security functions, properties and 
configuration. 


We also want to emphasize the fact that every organization needs to trust their system administrators not to deliberately 
undermine the security of the system. Although the evaluated configuration includes audit functions that can be used to 
make users accountable for their actions, we need to point out that an administrator is able to stop the audit subsystem 
and reconfigure it such that his actions no longer get audited. Well trained and trustworthy administrators are therefore 
a key element for the secure operation of the system. This Security Guide then provides the additional information 
a system administrator should obey when installing, configuring and operating the system in compliance with the 
requirements defined the Security Target for the Common Criteria evaluation. 


1.5 Requirements for the system’s users 


The security target addresses the security needs of cooperating users in a benign environment, who will use the system 
responsibly to fulfill their tasks. 


Note that system availability is not addressed in this evaluation, and a malicious user could disable a server through 
resource exhaustion or similar methods. 


The requirements for users specifically include: 


e User accounts MUST be assigned only to those users with a need to access the data protected by the system, and 
who MUST be sufficiently trustworthy not to abuse those privileges. For example, the system cannot prevent 
data from being intentionally redistributed to unauthorized third parties by an authorized user. 


e All users of the system MUST be sufficiently skilled to understand the security implications of their actions, and 
MUST understand and follow the requirements listed in the section 86 ”Security guidelines for users” of this 
document. Appropriate training MUST be available to ensure this. 


It is part of your responsibility as a system administrator to verify that these requirements are met, and to be available 
to users if they need your help in maintaining the security of their data. 
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1.6 Overview of the system’s security functions 


This section summarizes the security functions that were covered by the evaluation. Please refer to the appropriate 
sections for information on configuring, using and managing these functions. 


1.6.1 Identification and Authentication 


Pluggable Authentication Module (PAM) 


Sections 83.12 "Introduction to Pluggable Authentication Module (PAM) configuration”, $3.13 "Required Plug- 
gable Authentication Module (PAM) configuration”; the documentation in /usr/share/doc/packages/pam/ and 
the pam(8) man page. 


login 


Section 83.14 "Setting up login controls”; and the login(1) and login.defs(5) man pages. 


OpenSSH 
Section 83.7 ” Setting up SSH” and the sshd(8), ssh(1), sshd_config(5) man pages. 


vsftpd 
Section 83.9 "Setting up FTP” and the vsftpd(8), vsftpd.conf (5) man pages. 


su 


299 


Sections 83.5 "Update permissions for 'su””, 84.3 ”Gaining superuser access”; and the su(8) man page. 


1.6.2 Audit 


Sections 83.11 ”Setting up the audit subsystem” and 85.3 ”Configuring the audit subsystem”; and the laus(7) man 
page, whose ”SEE ALSO” section points to the remaining LAUS man pages. 


1.6.3 Discretionary Access Control 


Sections 86.4 ”Access control for files and directories” and 84.8 ”SYSV shared memory and IPC objects”. 


1.6.4 Object Reuse 


See the SLES High Level Design document, the kernel automatically ensures that new objects (disk files, memory, 
IPC) do not contain any traces of previous contents. 


1.6.5 Security Management and System Protection 


Chapters 84 "System operation” and 85 "Monitoring, Logging & Audit”. 


1.6.6 Secure Communication 


Section ”Configuring secure network connections with stunnel” (34.9) and the stunnel(1) man page. 


Section 83.7 ” Setting up SSH” and the sshd(8), ssh(1), sshd_config(5) man pages. 
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1.7 Overview of security relevant events 


The audit subsystem is intended to be the central interface for collecting and viewing the record of security relevant 
events. The events being monitored by default in the evaluated configuration include: 


e All authentication done through the PAM library, including the identity and location (where available) of the 
user and the success or failure result. 


Use of su(8) to change identity. All actions done as part of a su session are marked in the audit record with the 
original user’s login user ID. 


Adding, changing or deleting users or groups. 


Changes and change attempts to the contents of security critical files. 


Changes to the access permissions or ownership of any files or IPC objects. 


Binding network ports and accepting connections. 


Please refer to section 85 "Monitoring, Logging & Audit” for more information. 


2 Installation 


The evaluation covers a fresh installation of the SLES version 8 on one of the supported hardware platforms as defined 
in the section $1.3.1 "Hardware requirements” above. 


On the platforms that support virtualization (VM) or secure logical partitioning (LPAR), other operating systems MAY 
be installed and active at the same time as the evaluated configuration if (and only if) the VM or LPAR configuration 
ensures that the other operating systems cannot access data belonging to the evaluated configuration or otherwise 
interfere with its operation. Setting up this type of configuration is considered to be part of the operating environment 
and is not addressed in this document. 


On the other platforms, the evaluated configuration MUST be the only operating system installed on the server. 


2.1 Supported hardware 


You MAY attach the following peripherals without invalidating the evaluation results. Other hardware MUST NOT be 
installed in or attached to the system. 


Any storage devices and backup devices supported by the operating system (this includes hard disks, CD-ROM 
drives and tape drives). 


All Ethernet and Token Ring network adapters supported by the operating system. Modems, ISDN and other 
WAN adapters are not part of the evaluated environment. 


Any printers supported by the operating system. 


Operator console consisting of a keyboard, video monitor, and optionally mouse. Additionally, you may directly 
attach supported serial terminals, but not modems, ISDN cards or other remote access terminals. 


Hot-pluggable hardware that depends on the dynamic loading of kernel modules is not supported. Examples of such 
unsupported hardware are USB, IEE1394/FireWire and PCMCIA/CardBus peripherals. 
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2.2 


Selection of install options and packages 


This section describes the detailed steps to be performed when installing the SLES operating system on the target 
server. 


All settings listed here are REQUIRED unless specifically declared otherwise. 


Disconnect computer from all network connections. You MUST NOT reconnect them until the post-install 
configuration (including system hardening) is completed. 


Verify that the installation CD is an authentic SuSE distribution CD for SLES 8 with the label "SuSE LINUX 
ENTERPRISE SERVER Installation” for your server’s architecture. The CD is shipped in a sealed sleeve. 


Launch the installer program contained on the CD-ROM. The details of how to do this depend on the hardware 
platform, please refer to the installation guide that is part of the printed manual accompanying the CD. 


For example: 


— xSeries, eServer: Insert the SLES 8 CD and boot from CD-ROM. 


— zSeries, pSeries: Details depend on the operation mode (VM, LPAR or native). The process generally in- 
volves copying the installer onto the server and launch the installer using the host's management interface. 


Text mode MAY be chosen instead of the default graphical installation. 


You MAY also use a serial console to do a text-mode installation. To do so, connect a serial terminal (or a 
computer with terminal emulator software; such a computer MUST be appropriately secure) to the servers 
serial port, and boot from the SLES CD. When the boot prompt is shown on the serial console, enter install 
console=ttyS0 and press ENTER to start the installation. 














Accept the license agreement. 

Select your language: "English (US)” (to ensure that the messages shown match those described in this guide). 
If prompted (due to having Linux installed already), choose ”New installation”. 

Installation settings: 


— Mode: "New installation” 

— Keyboard layout: "English (US)” MAY be changed 

— Mouse: OPTIONAL (not needed) 

— Partitioning: 
change ”/ type to ”ext3” 

OPTIONAL: add other ext3 partitions, i.e. /var, /home 

OPTIONAL: modify swap space setting (MAY be disabled) 

For all ext3 partitions, choose ”Fstab Options” and set ” Arbitrary option value” to ”acl”. The additional 
options ”No access time” or "Mount read-only” MAY be set as required. 

— Software: choose "Minimum system” (or "Minimum graphical system (without KDE)” if "Minimum sys- 
tem” is not offered as an option), and confirm the choice. Extra packages will be removed during the 
following hardening steps. 

— Select "Detailed selection” and add the following packages to the selection. This is easiest when ”Filter” 
is set to ” Search”, then you can enter (part of) the package names in the search field and add a check mark 
to the package in the search result. 

The packages marked as OPTIONAL are services that are part of the evaluated configuration but MAY be 
omitted if you do not need them for your system. Packages containing documentation files or viewers that 
this document refers to are marked as RECOMMENDED, but you MAY omit them. 

The installer will automatically choose an appropriate kernel (single processor or SMP) based on the 
detected hardware. You MAY override this choice and choose either the k_deflt or k_smp kernel package 
manually. 
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yast2-online-update OPTIONAL: Yast2 module: get security patches 
(only for use in local network, not Internet) 
Yast2 module: manage program start/stop at boot 
Yast2 module: edit global security settings 


Yast2 module: edit contents of /etc/sysconfig/* 


yast2-runlevel 
yast2-security 
yast2-sysconfig 

















star Data archival tool with ACL support 

texinfo RECOMMENDED: Info documentation viewer 
man-pages RECOMMENDED: Manual pages 

howtoenh RECOMMENDED: how-to documentation (HTML format) 








ECOMMENDED: Administrator Manual 
ECOMMENDED: Installation Manual 
(choose the manual set for your architecture) 


sles-admin-x86+x86-—64 en 
sles-inst-x86+x86-64_en 
sles-admin-ipseries_en 
sles-inst-ipseries_en 
sles-admin-zseries en 
sles-inst-zseries en 
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lprng OPTIONAL: Print spooler 

xinetd OPTIONAL: XInetd (only used for vsftpd) 
vsftpd OPTIONAL: FTP daemon (needs xinetd) 
stunnel OPTIONAL: set up encrypted SSL tunnels 


— Booting: keep default (no other OS is permitted on the server). 


— Time zone: 
RECOMMENDED: keep hardware clock time as ”UTC” 
RECOMMENDED: set zone as appropriate for server location 


— Language: "English (US)” 


Start installation: press Accept” and ” Yes, install” buttons. 


e Installation will proceed. Insert the CDs as prompted by the installer. 


The installer will reboot to continue running on the installed system. 


Installer will switch to text mode, confirm the explanatory text about this. 


e Password for ”root”, the administrator 


— choose according to the password policy (36.3) 
— in "Expert Options”, set Password Encryption: ”MD5” 


e Add a new user 


create account for one of the administrators (RECOMMENDED: whoever is doing the installation) 


choose a username (not ’root’ or any other system account) 


choose password according to the password policy ($6.3) 


open the ”Details” dialog, and add membership in the additional group ”trusted” for this administrator. 
Close the dialog. 


open "Password settings” window and edit the settings according to the parameters described in the section 
83.14 ” Setting up login controls”: 


Issue warning how many days before password expiration? 5 
How many days after password expires is the login usable? -1 
Maximum number of days for the same password 60 


Minimum number of days for the same password 1 
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The ”Expiration date” MAY be left blank. Close the dialog. 


— press the ”Next” button to continue. 
e Network cards configuration 


— Configure all installed network cards (zero or more) as appropriate for the platform. In the case of virtual 
network cards on zSeries or iSeries, these options are not available. The following options MUST be used 
for non-virtual network cards: 


— Set a static IP address for each card (MUST NOT use DHCP) 
— Select the "Host name and name server” dialog. 

— Disable the "Change host name via DHCP” setting. 

— Disable the ”Update name servers via DHCP” setting. 

— RECOMMENDED: set the system’s host name. 

— OPTIONAL: configure DNS servers and DNS search lists 

— OPTIONAL: set default gateway and/or static routes. 

— Modems and ISDN adapters MUST NOT be present. 


— We RECOMMEND that you disconnect all network connections until the post-install system configuration 
is finished. You MAY use a network if required for the installation (for example, zSeries hosts are usually 
installed using NFS, because they do not have a CD drive). If you do use a network, you MUST ensure 
that this network is secure. 


2.3 Installing required updates 


The base system from CD is not yet configured to meed the requirements for the installation. 


You need to perform the following steps (detailed below) to achieve the evaluated configuration: 


e Apply the Service Pack 3 (SP3) patches. 
e Replace the default PAM authentication library with the audit-enabled pam-laus version. 
e Install the certification-sles-eal3 RPM and run the sles-eal3 script. 


e Reboot. 


SLES8 Service Pack 3 MUST be applied to the system. Since the evaluated configuration does not permit an Internet 
connection, you MUST use a separate machine to download the update and transfer the files to the target system, i.e. 
using a CD-R disk. You MAY make the files available to other SLES systems in the secure network and use the YAST2 
online update mechanism to retrieve the files from this local mirror, but you MUST NOT connect the target system to 
the Internet. 


The ISO images are available for download from the SuSE maintenance web at the URL 
http://sdb.suse.de/en/psdb/html/ . There are two ISO images for each supported architecture, the first one con- 
taining the binaries (REQUIRED for installation) and the second one the source code (OPTIONAL). 


You MUST verify that the MD5 checksum of the file(s) you downloaded is correct: 


# md5sum *.iso 

722baf8d785a011503ec70e26045e91c UnitedLinux-1.0-SP-3-1386-RC4-CD1.iso 
eebe03e60bee38464603fc9c90d31cd0 UnitedLinux-1.0-SP-3-1386-RC4-CD2.iso 
2dcf46e3a0e6f50836500645df194a32 UnitedLinux-1.0-SP-3-x86-64-RC4-CD1.iso 
88bf8cc4b5c736b9c7d670a1926b363f UnitedLinux-1.0-SP-3-x86-64-RC4-CD2.iso 
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097b72f8cc8cb3e7f1cd9b2885b3d105 SLES-8-SP-3-ppc-RC4-CD1.iso 
678cee58643537d58b461c1df2748be5 SLES-8-SP-3-ppc-RC4-CD2.iso 
704330ee0987be127ea6c9f514a93d71 SLES-8-SP3-s390-RC4-CD1.iso 
4c7ecd93cbb765a82eeeafel8fc8b090 SLES-8-SP3-s390-RC4-CD2.iso 








Then, either burn the CD1 image to a CD-R, or alternatively use a loopback mount on the target system if you have 
copied the ISO file using some other method. 


The mount point used MUST be /media/cdrom, otherwise the upgrade will not work correctly: 


# CD-ROM in default drive: 
mount /media/cdrom 


# Loopback mount of the image file (this example is for x86): 
mount -o loop UnitedLinux-1.0-SP-3-1386-RC4-CD1.iso /media/cdrom 


2.3.1 Automated SP3 upgrade 


This RECOMMENDED method is fully automated, but the script is not available for all architectures. 


# Run the non-interactive script: 
/media/cdrom/install_update_rpms.sh 


2.3.2 YaST SP3 upgrade 


If you do not use the automated upgrade, you MUST do the SP3 upgrade through the YaST GUI: 


e Mount the ISO image as described above. 


Launch yast from the shell prompt. 


Select the Software category, item Patch CD Update. 


Under Choice of installation source, choose Expert, and then choose Directory. 


In the Local directory dialog box, enter /media/cdrom. 


Choose Next. 


Select all available patches. 


Choose OK to install the patches, then Finish when it is done. 


2.3.3 Installing the audit subsystem 


You MUST also install the Linux Auditing Subsystem (LAuS) RPM package and the LAuS-enabled PAM library that 
are distributed on the SP3 CD-ROM. 


Install the LAuS userspace tools (auditd etc.). On pSeries and iSeries, you need to install both the 64bit and the 32bit 
versions of the library. On all other platforms, the plain laus package is either the 32bit or 64bit version as required for 
the architecture. 
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# separate 64bit version on pSeries and iSeries only: 
rpm -Uvh /media/cdrom/*/*/laus-64bit-0.1*.rpm 

# all platforms (including pSeries and iSeries): 

rpm -Uvh /media/cdrom/*/*/laus-0.1*.rpm 


The LAuS-enabled PAM library is a drop-in replacement for the currently installed PAM library. PAM is a critical 
system component where an install error will result in an unusable system, you MUST use the following procedure: 


# Install the replacement pam-laus library, overwriting files 
# belonging to the original PAM library: 
rpm -Uvh --force /media/cdrom/*/*/pam-laus-0.76*.rpm 





# RECOMMENDED: verify that the installation was successful 
# by logging in locally: 
ssh localhost 














The RPM database will still list the original pam package as being installed, even though all of its files were overwritten 
by the pam-laus package. This is necessary to keep dependencies satisfied, i.e. for the pam-modules package. You 
MUST NOT reinstall or update the pam package. 


3 Secure initial system configuration 


After the initial installation, the operating system is not yet in the evaluated configuration. The instructions in this 
section explain how to achieve that configuration. 


After software upgrades or installation of additional packages, these steps MUST be re-done or at least re-checked to 
ensure that the configuration remains secure. 


Log in as user ’root’ on the system console for these steps. 


3.1 Automated configuration of the system 


The certification-sles-eal3.rpm package MUST be installed initially to achieve the evaluated configuration. This RPM 
package contains updates to the manuals, EAL3 specific configuration files and scripts to set up the evaluated config- 
uration. 


Please check the file /usr/share/doc/packages/certification-sles-eal3/README-eal3.txt from the certification-sles- 
eal3.rpm for the latest errata information. 


The certification-sles-eal3.rpm package contains a setup script that has to be run to implement the evaluated configu- 
ration: /usr/lib/eal3/bin/sles-eal3. 


The certification-sles-eal3 RPM contains the following EAL3 specific configuration files: 
/etc/permissions.eal3 


We RECOMMEND that you use the sles-ea13 script to reset the configuration to its initial state after any updates, 
but you MAY also perform the steps listed here manually. 


WARNING: The sles-ea13 script will reboot the system as the final step in the process, as described in the manual 
instructions in section $3.16 "Reboot and initial network connection”. On zSeries, it will run the zipl boot configuration 
tool (with no arguments) before rebooting. 


If you use the script, the remaining steps in this chapter are done automatically; skip ahead to the ”System operation” 
chapter (84). 
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3.2 Add and remove packages 


The evaluated configuration REQUIRES the Abstract Machine Testing Utility to be present on the machine. This 
tool is provided in the amtu RPM package contained within the certification-sles-eal3 RPM in the directory 
/usr/lib/eal3/rpm/. It will be installed automatically by the sles-ea13 script. 


The minimal install still contains some packages that MUST be removed for the evaluated configuration. Use 
rpmgpack to get a list of installed packages, and rpm -e PACKAGE_NAME ... to remove all packages EXCEPT 
those listed here. 














Some packages are listed as RECOMMENDED or OPTIONAL in section 82.2 "Selection of install options and pack- 
ages”. If you did not select all of those, some of the following packages will not be present on your system. 


The evaluated configuration including all RECOMMENDED and OPTIONAL packages consists of exactly the fol- 
lowing packages: 


all architectures: 


UnitedLinux-build-key openldap2-client 


aaa base openssh 

aaa skel openssl 

acl pam-laus 
amtu pam-modules 
ash parted 

at pciutils 
attr pcre 

bash perl 

be permissions 
bzip2 popt 
certification-sles-eal3 postfix 
cpio ps 

cracklib readline 
cron rem 

curl sed 
cyrus-sasl sh-utils 

db shadow 

devs sitar 
dialog sles-release 
diffutils star 
e2fsprogs stunnel 

ed suse-build-key 
file sysconfig 
filesystem syslogd 
fileutils sysvinit 
fillup tar 
findutils telnet 

gawk terminfo 
gdbm texinfo 
glibc textutils 
gpg timezone 
gpm utempter 
grep util-linux 
groff vim 

gzip vsftpd 
hdparm w3m 


heimdal-lib 


wget 
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howtoenh xinetd 

hwinfo yast2 

iproute2 yast2-bootloader 
iputils yast2-core 

ksymoops yast2-country 
12h-pngicons yast2-installation 
laus yast2-mouse 

less yast2-ncurses 
libgcc yast2-network 
libstdc++ yast2-online-update 
libxcrypt yast2-packagemanager 
1ibxm12 yast2-packager 
liby2util yast2-pam 

logrotate yast2-runlevel 
lprng yast2-security 
lukemftp yast2-storage 

m4 yast2-sysconfig 
mailx yast2-theme-SuSELinux 
man yast2-trans-en_US 
man-pages yast2-transfer 
mktemp yast2-update 
modutils yast2-users 

ncurses yast2-xml 

net-tools zlib 

netcat 

netcfg 


additional on x86 
either the "k deflt" 


freetype2 
grub 
isapnp 
kbd 


(xSeries): 


or the "k_smp" kernel 


sles-admin-x86+x86—64. en 
sles-inst-x86+x86-64_en 
unitedlinux-release 

yast2-theme-UnitedLinux 


additional on x86_64 (eServer 325 (opteron)) 
either the "k deflt" or the "k_smp" kernel 
freetype2 
grub 
glibc-32bit 
isapnp 
kbd 
sles-admin-x86+x86-64_en 
sles-inst-x86+x86-64_en 
unitedlinux-release 
yast2-theme-UnitedLinux 


additional on ppc (pSeries): 
addonlibs-64bit 
baselibs-64bit 
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glibc-64bit 

hfsutils 

isapnp 

kbd 

kernel-ppc64 
laus-64bit 

lilo 

pdisk 
sles-admin-ipseries_en 
sles-inst-ipseries_en 


additional on ppc (iSeries): 
addonlibs-64bit 
baselibs-64bit 
freetype2 
glibc-64bit 
hfsutils 
isapnp 
kernel-iseries64 
kernel-iseries64-tools 
laus-64bit 
lilo 
pdisk 
sles-admin-ipseries_en 
sles-inst-ipseries_en 


additional on s390 (zSeries): 
freetype2 
glibc-locale 
k_deflt 
s390-tools 
sles-admin-zseries. en 
sles-inst-zseries en 


The pam package will be listed in the RPM database as being installed, but all of its files were overwritten by the 
pam-laus package. You MUST NOT try to uninstall, reinstall or update the pam package. 


In addition to these packages, certain additional software from the SLES CDs MAY be installed without invalidating 
the evaluated configuration. The rules described in the section 84.4 ”Installation of additional software” MUST be 
followed to ensure that the security reguirements are not violated. 


The following packages are examples of tolerated packages that MAY be added to the system according to these rules. 
Note that the software contained in these packages is not intended to be used with ’root’ privileges, but the presence of 
the packages does not invalidate the evaluated configuration. The sles-ea13 script does not remove these packages 
1f they are installed on the system: 














attr-devel perl-Convert-BER 
autoconf perl-Crypt-DES 
automake perl-DateManip 
binutils perl-Digest-HMAC 
cpp perl-Digest-SHA1 
cross-ppc64-binutils perl-Expect 
cross-ppc64-gcc perl-HTML-Parser 
cross-ppc64-glibc perl-HTML-Tagset 
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cross-ppc64-libs and headers perl-IO-Stty 


cvs perl-IO-Tty 
expect perl-Mon 

flex perl-Net-SNMP 
gcc perl-Net SSLeay 
gcc-ctt perl-Tie-IxHash 
gettext perl-Time-Period 
glib perl-TimeDate 
glibc-devel perl-Tk 
glibc-locale perl-URI 
kernel-source perl-gettext 
laus-devel perl-libwww-perl 
libgcc strace 
libstdc++-devel tcl 

make tk 

openssl-devel xshared 
pam-devel 

patch 


3.3 Disable services 


Note: The system runlevel as specified in the 'initdefault' entry in /etc/inittab MUST remain at the default setting of 
*3” for these steps to be valid. 


Only the following services are allowed for runlevel 3: 


atd 
audit 
cron 
hwscan 
kbd 

lpd 
network 
postfix 
random 
rpmconfigcheck 
sshd 
syslog 
xinetd 


All others MUST be removed with insserv -r ServiceName. 


Make sure that the audit subsystem is activated and the startup symlink /etc/init.d/rc3.d/SOlaudit exists and points to 
/etc/init.d/audit. If auditd is not running, all logins are automatically disabled as required by CAPP. If it is missing, 
create the link with insserv audit. 


3.4 Remove setuid/setgid root settings from binaries 


Use of the setuid bit on binaries (to run with root privileges) MUST be limited to those shown in the following list. 
The other binaries that were installed ”setuid root” MUST have this bit removed. ’root’ can still run these binaries 
normally, but they are not available for ordinary users. 
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/bin/ping 
/bin/su 
/usr/bin/at 
/usr/bin/chage 
/usr/bin/chfn 
/usr/bin/chsh 
/usr/bin/crontab 
/usr/bin/gpasswd 
/usr/bin/lpq 
/usr/bin/lpr 
/usr/bin/lprm 
/usr/bin/lpstat 
/usr/bin/passwd 


There is also a number of SGID files on the system that are needed: 


/usr/sbin/postdrop 
/usr/sbin/postgueue 
/usr/sbin/utempter 


For informational purposes, here is a non authorative list of programs that have their setuid or setgid bit removed: 


/bin/mount 
/bin/ping6 
/bin/umount 
/sbin/unix2 chkpwd 
/sbin/unix chkpwd 
/usr/bin/expiry 
/usr/bin/mandb 
/usr/bin/newgrp 
/usr/bin/ssh 
/usr/bin/wall 
/usr/bin/write 
/usr/lib/pt_chown 
/usr/sbin/lpc 


Similarly, the setgid bit MUST NOT be used to give group ”root” privileges to any binary. 


# group "maildrop" 
# group "maildrop" 
# group "tty" 
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The SuSE permission mechanism MUST be used to set permission bits appropriately. First make sure that no 
SUID/SGID programs are present on the system: 


find / N( ! -fstype ext3 -prune -false \) 
-type f \( -perm -4000 -o -perm -2000 \) 


-exec chmod u-s,g-s {} \; -print 


Make sure that /etc/sysconfig/security has the following two variables set: 





CHECK_PERMISSIONS=set 

















Then run chkstat -set /etc/permissions.eal3 to set the needed SUID and SGID bits. 


PERMISSION_SECURITY="eal3" 
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3.5 Update permissions for ’su’ 


The ’su’ binary MUST be restricted to members of the trusted’ group. This will be enforced both with PAM configu- 
ration (configured later) and the binary’s permissions. 


chgrp trusted /bin/su 
chmod 4710 /bin/su 


When running the chkstat command as described above, this will be configured automatically. 


3.6 Disable root login over the network 


Login from the network with user ID 0 (root?) MUST NOT be permitted over the network. Administrators MUST 
use an ordinary user ID to log in, and then use the /bin/su - command to switch identities. For more information, 
refer to the section §4.3 ”Gaining superuser access” below. 


We RECOMMENDED that you remind administrators of this by adding the following alias to the bash configuration 
file /etc/bash.bashrc.local that disables the pathless ’su’ command: 


alias su="echo \"Always use '/bin/su -” (see Security Guide) \"" 
This alias can be disabled for the root user in /root/ bashrc: 
unalias su 


The restriction for direct root logins is enforced through two separate mechanisms. For network logins using ssh, the 
PermitRootLogin no entry in /etc/ssh/sshd_config MUST be set (see next section). Console and serial termi- 
nal logins use the pam_securetty.so PAM module in the /etc/pam.d/login file, which verifies that the terminal 
character device used is listed in the file /etc/securetty. 


The file /etc/securetty MUST NOT be changed from the secure default settings as originally installed: 


# 

# This file contains the device names of tty lines (one per line, 
# without leading /dev/) on which root is allowed to login. 
# 

ttyl 

tty2 

tty3 

tty4 

tty5 

tty6 

# for devfs: 

ve/1 

vc/2 

ve/3 

vc/4 

ve/5 

ve/6 
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3.7 Setting up SSH 


SSH protocol version 1 MUST be disabled. It has known security deficiencies. 


The ssh client MUST NOT be set up setuid root (the setuid bit was removed in the post-install configuration). This 
prevents the use of some authentication methods normally supported by OpenSSH, but does not affect the evaluated 
configuration which uses password authentication exclusively. 


The SSH Server MUST be configured to reject attempts to log in as root. 


The permitted authentication mechanisms are per-user (nonempty) passwords and per-user DSS public key authenti- 
cation. All other authentication methods MUST be disabled. 


The setting PAMAuthenticationviaKbdInt MUST be disabled, since this would otherwise circumvent the 
disabled root logins over the network. 


This results in the following option set for the SSH daemon that MUST be set in /etc/ssh/sshd_config: 


Protocol 2 

Ciphers 3des-cbc 

PermitRootLogin no 
RSAAuthentication no 
PubkeyAuthentication yes 
IgnoreRhosts yes 
RhostsRSAAuthentication no 
HostbasedAuthentication no 
PasswordAuthentication yes 
PermitEmptyPasswords no 
ChallengeResponseAuthentication no 
KerberosAuthentication no 
GSSAPTAuthentication no 
PAMAuthenticationViaKbdInt no 
X11Forwarding no 

Subsystem sftp /usr/lib/ssh/sftp-server 





All other options MUST NOT be changed from the defaults or from those settings specified here. Specifically, you 
MUST NOT add other authentication methods (AFS, Kerberos, host-based) to those permitted here. 


3.8 Setting up xinetd 


The xinetd super server is used to start the FTP daemon. The defaults entry in the /etc/xinetd.conf file specifies the log 
file and the data that is to be logged: 




















defaults 

{ 
log_type = FILE /var/log/xinetd.log 
log_on_success = PID HOST EXIT DURATION 
log_on_failure = HOST ATTEMPT RECORD 
instances = 2 


Please see the man page for xinetd.conf for more information on xinetd and configuration examples. 
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3.9 Setting up FTP 


The system includes FTP services. The FTP server is started via xinetd, see xinetd(8). The following entry is the only 
active configuration entry in /etc/xinetd.conf: 


service ftp 


{ 


socket_type = stream 

protocol = tcp 

wait = no 

user = root 

server = /usr/sbin/vsftpd 
instances = UNLIMITED 





The vsftpd uses several additional configuration files. In /etc/vsftpd.conf the configuration of the ftp daemon is speci- 
fied. In addition, for access control, the classic /etc/ftpusers file is used. Users listed in the ftpusers file can NOT log in 
via FTP. This file initially contains all system IDs and the root user. It can be augmented with other IDs according to 
the local needs. The ftpusers file in not checked by the ftp daemon itself but by a PAM module. Please see the section 
§?? "Required PAM configuration” for details. 


The setup of /etc/vsftpd.conf depends on the local needs. Please refer to vsftpd.conf(5) for details. 


The default configuration permits only anonymous FTP. This setting is therefore only suitable for distribution of public 
files for which no read access control is needed. We RECOMMEND disabling anonymous FTP if you do not need this 
functionality with the following setting in /etc/vsftpd.conf: 


anonymous_enable=NO 


You MAY enable FTP authentication for local user accounts. The corresponding setting in /etc/vsftpd.conf is: 





local_enable=YES 


We RECOMMEND using scp(1) to copy files among users, and to use FTP only for legacy applications that do not 
support this alternative. 


3.10 Setting up Postfix 


The default settings of the postfix MTA are in accordance with the EAL3 requirements. An alias MUST be set up 
for root in /etc/aliases, as postfix will not deliver mail while running with UID 0. Specify one or more user names of 
administrators to whom mail addressed to root will be forwarded. 


Please see postfix(1), master(8) and the documentation in /usr/share/doc/packages/postfix/html/ for details. 


3.11 Setting up the audit subsystem 


This section describes only the initial setup and default configuration of the audit subsystem. Please refer to the section 
85.3 ”Configuring the audit subsystem” below for information about how it works and what changes MAY be made to 
the configuration. 
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3.11.1 Installing the packages needed for auditing 


The required packages have already been installed in the previous step described in section 82.3 "Installing required 
updates”. The audit subsystem consists of the following packages: 


kernel-source, k_deflt, k smp 
The kernels include the audit modifications, including the driver drivers/audit/* and the required hooks in the 
rest of the kernel. 

laus 


Contains the userspace Linux Auditing Subsystem (LAuS) programs including auditd(8), aucat(8) and au- 
grep(8), the liblaus.so shared library, the /etc/init.d/audit startup script, the configuration in /etc/sysconfig/audit, 
the /lib/security/pam_laus.so PAM module and the corresponding man pages. The corresponding 
development libraries and headers are in the laus-devel RPM which is not installed as part of the evaluated 
configuration. 


pam-laus 
Contains an enhanced version of the PAM framework library that replaces the package pam. This library is a 
drop-in replacement that does not change the behavior of PAM, but generates an audit record for each use of a 
module stack. 

at, cron, shadow 


These packages contain audit-enabled versions of the trusted programs, which will generate audit records for 
security relevant events. 


This section describes the further changes that need to be made to reach the initial state of the evaluated configuration. 


3.11.2 Installing the updated audit.o kernel module 


The audit module distributed as part of the SLES8-SP3 kernel packages MUST be replaced with the updated copy 
contained within the certification-sles-eal3 RPM package, in the subdirectory of /usr/lib/eal3Nib/kernel/ matching the 
current architecture. This is done automatically by the sles—eal3 script. 


If you manually rebuild the kernel and/or modules, you MUST ensure that the corresponding patch in 
/usr/lib/eal3/lib/kernel/ is applied to the kernel source. 


3.11.3 Setting up the audit configuration files 
Use the following settings in the file /etc/sysconfig/audit: 


AUDIT_ALLOW_SUSPEND=1 
AUDIT_ATTACH_ALL=0 
AUDIT. MAX MESSAGES=1024 
AUDIT. PARANOIA=0 














In addition, set up the following files with the content shown in the corresponding appendix of this document: 


/etc/init.d/audit 
/etc/audit/audit.conf 
/etc/audit/filter.conf 
/etc/audit/eal3files.conf 


The sles-eal3 script automatically sets up this configuration. 
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3.11.4 Starting auditd at boot as a system service 


The evaluated configuration runs auditd as a standard daemon service launched as part of the normal startup se- 
quence, this is activated with the following command: 


insserv audit 


3.11.5 Starting auditd in fail-secure mode from init (OPTIONAL) 


Running auditd as a system service is the standard and recommended method, other system components such as 
cron and atd are also launched in this way. 


However, if auditd is killed or unexpectedly terminates, audit messages will be lost until the administrator restarts 
the service. This failure mode does not violate CAPP requirements, because only the sysadmin can kill the audit 
daemon, and the only failure mode addressed by CAPP concerns running out of disk space which is handled directly 
by auditd. Any other abnormal termination would indicate a serious bug that should be investigated, reported and 
fixed. 


If you want to ensure that an instance of audit d will always be running even in case of these unusual failure modes, 
you MAY set up an alternative configuration and launch auditd via the init daemon. 


To do this, disable the audit system service and instead create and activate an entry in the file /etc/inittab: 


insserv -r audit 
echo "au:35:/etc/init.d/audit inittab" >> /etc/inittab 
init q 


This operating mode ensures that an instance of auditd will always be running, because init will automatically 
restart audit d immediately if it terminates for any reason. If init cannot restart audit d in this way, it will generate 
a syslog warning message and deactivate the inittab entry for five minutes, then try again. 


3.12 Introduction to Pluggable Authentication Module (PAM) configuration 


The PAM subsystem is responsible for maintaining passwords and other authentication data. Because this is a security- 
critical system, understanding how it works is very important. In addition to the pam(8) manual page, full documenta- 
tion is available in /usr/share/doc/packages/pam/text/, and includes ”The Linux-PAM System Administrator’s Guide” 
(pam.txt) as well as information for writing PAM applications and modules. Detailed information about modules is 
available in /usr/share/doc/packages/pam/modules/README.pam_*, as well as manual pages for individual modules, 
i.e. pam_pwcheck(8). 


The PAM configuration is stored in the /etc/pam.d/ directory. Note that the documentation refers to a file /etc/pam.conf 
which is not used by SLES (PAM was compiled to ignore this file if the /etc/pam.d/ directory exists). 


Each service (application) that uses PAM for authentication uses a service-name to determine its configuration, stored 
in the file /etc/pam.d/SERVICE_NAME. The special service-name OTHER (case insensitive) is used for default set- 
tings if there are no specific settings. 


The configuration file for the service contains one entry for each module, in the format: 
module-type control-flag module-path args 


Comments MAY be used, extending from '# to the end of the line, and entries MAY be split over multiple lines, using 
a backslash at the end of a line as a continuation character. 


The module-type defines the type of action being done. This can be one of four types: 
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auth 
Authenticates users (determines that they are who they claim to be). It can also assign credentials, 1.e. additional 
group memberships beyond those specified through /etc/passwd and /etc/groups - this additional functionality 
MUST NOT be used. 

account 
Account management not related to authentication, i.e. restricting access based on time of day, available system 
resources or the location of the user (network address or system console). 

session 
Manages resources associated with a service by running specified code at the start and end of the session. Typical 
usage includes logging and accounting, and initialization such as auto mounting a home directory. 

password 


Used for updating the password (or other authentication token), i.e. when using the passwd(1) utility to change 
it. 


The control-flag specifies the action that will be taken based on the success or failure of an individual module. The 
modules are stacked (executed in sequence), and the control-flags determine which final result (success or failure) will 
be returned, thereby specifying the relative importance of the modules. 


Stacked modules are executed in the order specified in the configuration file. 


The control-flag can be specified as either a single keyword, or alternatively with a more elaborate syntax that allows 
greater control. SLES uses only the single keyword syntax by default. 


required 
If this module returns a failure code, the entire stack will return failure. The failure will be reported to the 
application or user only after all other modules in the stack have been run, to prevent leakage of information (for 
example, ask for a password even if the entered username is not valid). 

requisite 
Same as required, but return failure immediately, not executing the other modules in the stack. Can be used to 
prevent a user from entering a password over an insecure connection. 

sufficient 
Return success immediately if no previous required modules in the stack have returned failure. Do not execute 
succeeding modules. 

optional 


The return code of this module is ignored, except if all other modules in the stack return an indeterminate result 
(PAM_IGNORE). 


The module-path specifies the filename of the module to be run (relative to the directory /lib/security/, and the optional 
args are passed to the module - refer to the module’s documentation for supported options. 


3.13 Required Pluggable Authentication Module (PAM) configuration 


You MUST restrict authentication to services that are explicitly specified. The other’ fallback MUST be disabled 
by specifying the pam_deny.so module for each module-type in the ’other’ configuration. This ensures that access 
decisions within the PAM system are handled only by the service specific PAM configuration. 


You MUST add the pam_wheel.so module to the ’auth’ module_type configuration for the ’su’ service and specify the 
trusted’ group. 
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You MUST add the pam-tally.so module to the ’auth’ module type configuration to disable accounts after a certain 
number of failed login attempts. Be aware that this can be used in denial-of-service attacks to lock out legitimate users. 


You MUST use the pam.passwdgc.so password quality checking module to ensure that users will not use easily- 
guessable passwords. 


You MUST NOT modify other settings, specifically you MUST use the 'md5' and 'use-cracklib' options for the 
pam_pwcheck.so module. 


The ’remember=XX’ option must be added to the /etc/security/pam-pwcheck.conf file to force users to create new 
passwords and not re-use ones that they had previously, i.e. to prevent users from simply alternating between two 
passwords when asked to change it due to expiration. XX is any number between 7 and 400. 


The system supports many other PAM modules apart from the ones shown here. In general, PAM modules that restrict 
logins further MAY be used. You MUST NOT weaken the login restrictions through configuration changes of the 
modules shown here or via additional modules. 


Here are are the pam configuration files: 


3.13.1 /etc/pam.d/chage 


This file configures the access control for the chage command. It allows the use of chage only after the user’s password 
has been entered or the calling user is ’root’. 


SPAM-1.0 

# root is allowed to use chage without authentication 
auth sufficient pam rootok.so 

auth reguired pam_unix2.so 

account required pam_permit.so 

password required pam_deny.so 

session required pam_deny.so 


3.13.2 /etc/pam.d/chfn 


This file configures the access control for the chfn command. It allows the use of chfn only after the user's password 
has been entered or the calling user is ’root’. 


SPAM-1.0 

auth sufficient pam rootok.so 
auth reguired pam_unix2.so 
account required pam_unix2.so 
password required pam_deny.so 
session required pam_deny.so 


3.13.3 /etc/pam.d/chsh 


This file configures the access control for the chsh command. It allows the use of chsh only after the user's password 
has been entered or the calling user is ’root’. 


SPAM-1.0 

auth sufficient pam_rootok.so 
auth required pam_unix2.so 
account required pam_unix2.so 
password required pam_deny.so 


session required pam_deny.so 
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3.13.4 /etc/pam.d/login 


This file configures the behavior of the login program. It allows root login only for terminals configured in 
/etc/securetty. If the file /etc/nologin is present, then only root can log in. The optional pam_env module MAY be 
used to set environment variables from /etc/security/pam_env.conf. The optional pam_mail module MAY be used to 
notify the user that there is new mail. The pam_tally module MUST be used to block the user after 5 failed login 
attempts. The optional pam.limits module MAY be used to enforce resource limits via /etc/security/limits.conf. 





*SPAM-1.0 

auth required pam_tally.so onerr=fail no_magic_root 

auth requisite pam_unix2.so 

auth required pam_securetty.so 

auth required pam_nologin.so 

auth required pam_env.so # optional 

auth required pam_mail.so # optional 

account required pam_unix2.so 

account required pam_tally.so deny=6 reset no_magic_root 
password requisite pam_passwdqc.so ask_oldauthtok=update check_oldauthtok 
password requisite pam_pwcheck.so use first pass use_authtok 
password reguired pam_unix2.so use first pass use authtok 
session required pam_unix2.so 

session required pam_limits.so # optional 

session optional pam_laus.so # no lockout on failure 


3.13.5 /etc/pam.d/other 


This configuration applies for all PAM usage for which no explicit service is configured. It will log and block any 
attempts. 


SPAM-1.0 

auth required pam_warn.so 
auth required pam_deny.so 
account required pam_warn.so 
account required pam_deny.so 
password required pam_warn.so 
password required pam_deny.so 
session required pam_warn.so 
session required pam_deny.so 





3.13.6 /etc/pam.d/passwd 


This service configuration applies to password changes. Please see also /etc/security/pam_pwcheck.conf. 


SPAM-1.0 

auth required pam_unix2.so 

account required pam_unix2.so 

password requisite pam_passwdqc.so ask_oldauthtok=update check_oldauthtok 
password requisite pam_pwcheck.so use first pass use authtok 

password reguired pam_unix2.so use first pass use_authtok 


session required pam_unix2.so 
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3.13.7 /etc/pam.d/sshd 


This file configures the PAM usage for SSH. This is identical to the login configuration except for the securetty entry 
which is not applicable to network logins. 





SPAM-1.0 

auth required pam_tally.so onerr=fail no_magic_root 

auth required pam_unix2.so 

auth required pam_nologin.so 

auth required pam_env.so # optional 

account required pam_unix2.so 

account required pam_nologin.so 

account required pam_tally.so deny=6 reset no_magic_root 
account required pam_laus.so detach 

password requisite pam_passwdqc.so ask_oldauthtok=update check_oldauthtok 
password requisite pam_pwcheck.so use first pass use authtok 
password reguired pam_unix2.so use first pass use_authtok 
session required pam_unix2.so 

session required pam_limits.so # optional 


3.13.8 /etc/pam.d/su 


This file configures the behavior of the ’su’ command. Only users in the trusted group can use it to become ’root’, as 
configured with the pam_wheel module. 


*SPAM-1.0 

auth sufficient pam rootok.so 

auth reguired pam wheel.so use uid group=trusted 

auth reguired pam_unix2.so 

auth required pam_tally.so onerr=fail no_magic_root 
account required pam_unix2.so 

account required pam_tally.so no_magic_root # deny=5 reset 
password required pam_deny.so 

session required pam_unix2.so 





Forcing the root user to change the root password is not desired here, therefore the pam_unix2.so module is absent in 
the password branch and pam_deny.so is used instead. 


3.13.9 /etc/pam.d/useradd 


This file allows the root user to add accounts without entering the root password. 


SPAM-1.0 

auth sufficient pam rootok.so 
auth reguired pam deny.so 
account required pam_permit.so 
password required pam_permit.so 


session required pam_deny.so 
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3.13.10 /etc/pam.d/vsftpd 


This file configures the authentication for the FTP daemon. With the listfile module, users listed in /etc/ftpusers are 
denied FTP access to the system. 


SPAM-1.0 

auth required pam_tally.so onerr=fail no_magic_root 

auth required pam_listfile.so item=user sense=deny \ 
file=/etc/ftpusers onerr=fail 

auth required pam_unix2.so 

account required pam_unix2.so 

account required pam_tally.so deny=6 reset no_magic_root 

account required pam_laus.so detach 

password required pam_deny.so 

session required pam_unix2.so 





Note that the FTP protocol has no provisions for changing passwords, therefore the pam_unix2.so module is absent in 
the password branch and pam_deny.so is used instead. 


3.13.11 /etc/security/pam pwcheck.conf 


This file contains the default option for the pam pwcheck module. This makes it easier to set a global policy. The md5 
option enables long passwords (up to 127 characters, see also the limit in /etc/login.defs, and the use-cracklib option 
activates password quality checks against standard dictionary and permutation attacks. The remember option ensures 
that the user does not reuse passwords by keeping track of the specified number of previously used passwords in the 
file /etc/security/opasswd. 


password: md5 use_cracklib remember=7 


3.13.12 /etc/security/pam unix2.conf 


This file contains the default option for the pam_unix2 module. This makes it easier to set a global policy. The md5 
option enables long passwords (up to 127 characters, see also the limit in /etc/login.defs. The trace option activates 
session tracing (start/stop) via syslog. 


auth: 

account: 
password: md5 
session: trace 


3.14 Setting up login controls 


The system supports various options to control log ins in /etc/login.defs. The following table explains the options and 
the values needed for the EAL3 system. 


The UMASK entry sets the default umask to the most restrictive setting. Users and processes MAY override this 
setting as required, i.e. through a setting in their personal shell profile or a service-specific configuration file. 


FAIL DELAY 3 # Delay between failed logins 
# in seconds (MUST be at least 3) 
FAILLOG_ENAB yes # Enable logging of failed log ins 
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(login program only) 


LOG_UNKFAIL_ENAB no Do not display unknown 





# 

# 

# user names on failed log ins 
LASTLOG_ENAB yes # Log last log in 
OBSCURE_CHECKS_ENAB yes # Enable more strict password checks 
UMASK 077 # Default File permission mask 

# 

# 

# 

# 

# 



















































































PASS_MAX DAYS 60 Maximum password life time (<= 60) 
PASS_MIN_DAYS 1 Minimum password life time 
(0 < PASS_MIN_DAYS < PASS_MAX_DAYS) 
PASS_MIN_LEN 8 Minimum password length 
(MUST be at least 8) 
PASS_WARN_AGE 5 # Warn days before expiry 
CRACKLIB_DICTPATH /usr/lib/cracklib_dict 
# Base name of the cracklib library 
LOGIN_RETRIES 3 # Retries before the login 
process is killed 
LOGIN_TIMEOUT 60 $ Max time in seconds per login attempt 
PASS_CHANGE_TRIES 3 # Max attempts at changing passwords 
PASS_ALWAYS_WARN yes # Warn even root about weak passwords 
PASS_MAX_LEN 127 $ Maximum usable length of password 
CHFN_AUTH yes # Require password for chfsn/chsh 
CHFN_RESTRICT rwh # Fields that chfn may change 
DEFAULT_HOME no # Disallow login without home directory 


3.14.1 Maintaining cracklib dictionaries 
The dictionary files used by cracklib are stored in /usr/lib/: 


/usr/lib/cracklib_dict.hwm 
/usr/lib/cracklib_dict.pwd 
/usr/lib/cracklib_dict.pwi 


To create custom dictionary files instead of the supplied ones, the command /usr/sbin/create-cracklib-dict MAY be 
used as follows: 


/usr/sbin/create-cracklib-dict wordlist wordlist 


This will generate a new set of dictionary files from the supplied word lists. Suggested word lists are included in the 
source RPM package of cracklib. We RECOMMEND adding dictionaries for your local language and other languages 
likely to be known by your user community. 


3.15 Configuring the boot loader 
You MUST set up the server in a secure location where it is protected from unauthorized access, which is sufficient to 
protect the boot process. 
We nevertheless RECOMMEND to configure the following additional protection mechanisms: 
e Ensure that the installed system boots exclusively from the disk partition containing SLES, and not from floppy 
disks, USB drives, CD-ROMs or other devices. 


e Ensure that this setting cannot be modified, i.e. by using a BootProm/BIOS password to protect access to the 
configuration. 
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3.15.1 GRUB boot loader configuration 


The GRUB boot loader is used on the xSeries and eServer 350 (Opteron) platforms. It is highly configurable, and 
permits flexible modifications at boot time through a special-purpose command line interface. Please refer to the 
grub(8) man page orrun info grub for more information. 


e Use the password command in /boot/grub/menu.lst to prevent unauthorized use of the boot loader interface. 
We RECOMMEND that you use md5 encoding, run the command ’grub-md5-crypt’ to generate the encoded 
version of a password. 


e Protect all menu entries other than the default SLES boot with the *lock” command (add in a single line after 
title’) to prompt for a password when booting from other media (i.e. floppy). 


e Remove group and world read permissions from the grub configuration file if it contains a password: 
chmod 600 /boot/grub/menu.lst 


All changes to the configuration take effect automatically on the next boot, there is no need to re-run an activation 
program. 


Example configuration: 


color white/blue black/light-gray 

default 0 

timeout 8 

password --md5 $1$04711/$H/JW2MYeugX6Y1h3v.1Iz0 


title linux 
kernel (hd0,1)/boot/vmlinuz root=/dev/sda2 
initrd (hd0,1)/boot/initrd 
title failsafe 
lock 
kernel (hd0,1)/boot/vmlinuz.shipped root=/dev/sda2 ide=nodma apm=off \ 
acpi=off vga=normal nosmp disableapic maxcpus=0 3 
initrd (hd0,1)/boot/initrd.shipped 


The configuration shown here might not be exactly the configuration used on the installed system, depending on the 
kernel options needed for the hardware. 


3.15.2 Yaboot boot loader configuration 

Yaboot is used on the pSeries machines, it is an OpenFirmware-based boot loader, and can be reconfigured at boot 
time from a specialized command line. 

Yaboot and GRUB are very similar, both support MD5-encrypted passwords specified in the configuration file. 


You need to re-run the ybin(8) tool when you have modified the configuration file, this is however not necessary if you 
replace a kernel and keep all path names unchanged. 


Please refer to the yaboot.conf(5) and ybin(8) manual pages and the yaboot HOWTO for more information: 


http: //penguinppc.org/projects/yaboot/doc/yaboot-howto.shtml 
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3.15.3 ZIPL boot loader configuration 


The ZIPL boot loader is used on the zSeries mainframe when the system is set up using the VM virtualization layer. 
In this context, ”booting” refers to the initial program load (IPL) done from the CP command prompt, which affects 
only a single specific Linux instance (a.k.a. ”partition”, which refers to the running system and not the disk partition 
in this context). 


Configuration of the VM system is beyond the scope of this document. You MUST ensure that the configuration 
settings and virtual devices used are only accessible to the authorized administrators. Do NOT use unencrypted 3270 
sessions for console access on insecure networks. 


ZIPL writes a boot record on the virtual disk (DASD) used by this Linux instance, this boot record then proceeds to load 
and run the Linux kernel itself. The zip1 command must be re-run after any kernel or boot argument modifications. 
Please refer to the zip/(8) man page for more information. 


# Generated by YaST2 
[defaultboot | 
default=ipl 


[ipl] 

target=/boot/zipl 
image=/boot/kernel/image 
ramdisk=/boot/initrd 
parameters="dasd=0200 root=/dev/dasdal" 


3.15.4 iSeries kernel slots 


Similar to zSeries, the iSeries hosts use an initial program load (IPL) system to load and initialize a virtual Linux 
instance. There is no boot loader program on the Linux side, the host platform’s boot loader is configured through 
device drivers accessed via virtual files in the /proc file system. 


Here is a sample session to copy a kernel to kernel slot B (usually reserved for experimental kernels, A is the production 
kernel), and activate it: 





dd if=/boot/vmlinux.sm of=/proc/iSeries/mf/B/vmlinux bs=4k 
cat /proc/cmdline > /proc/iSeries/mf/B/cmdline 
echo "B" > /proc/iSeries/mf/side 








For more information, please refer to: 


http: //www-1.ibm.com/servers/eserver/iseries/linux/tech_faq.html 





3.16 Reboot and initial network connection 
After all the changes described in this chapter have been done, you MUST reboot the system to ensure that all unwanted 
tasks are stopped, and that the running kernel, modules and applications all correspond to the evaluated configuration. 


Please make sure that the boot loader is configured correctly for your platform. On zSeries, remember to run the zip/(8) 
tool to write the boot record. 


The system will then match the evaluated configuration. The server MAY then be connected to a secure network as 
described above. 
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4 System operation 


To ensure that the systems remains in a secure state, special care MUST be taken during system operation. 


4.1 System startup, shutdown and crash recovery 


Use the shutdown(8), halt(8) or reboot(8) programs as needed to shut down or reboot the system. 


When powered on (or on initial program load of the logical partition on a host system), the system will boot into the 
SLES operating system. If necessary (i.e. after a crash), a filesystem check will be performed automatically. In rare 
cases manual intervention is necessary, please refer to the e2fsck(8) and debugfs(8) documentation for details in this 
case. 


In case a nonstandard boot process is needed (for example booting from floppy disk or CD-ROM to replace a defective 
hard drive), interaction with the boot loader and/or the host’s management system can be used to modify the boot 
procedure for recovery. 


For example, on xSeries you can use the following grub commands launch a shell directly from the kernel, bypassing 
the normal init/login mechanism: 


# view the current grub configuration 
grub» cat (hd0, 1) /boot/grub/menu.lst 


# manually enter the modified settings 

grub> kernel (hd0,1)/boot/vmlinuz root=/dev/sdal init=/bin/sh 
grub> initrd (hd0,1)/boot/initrd 

grub> boot 


Please refer to the relevant documentation of the boot loader, as well as the SuSE administrator guide, for more 
information. 


4.2 Backup and restore 


Whenever you make changes to security-critical files, you MAY need to be able to track the changes made and revert 
to previous versions, but this is not required for compliance with the evaluated configuration. 


The star(1) archiver is RECOMMENDED for backups of complete directory contents, please refer to the section §6.5 
”Data import / export”. Regular backups of the following files and directories (on removable media such as CD-R, or 
on a separate host) are RECOMMENDED: 


/etc/ 
/usr/lib/cracklib_dict.* 
/var/spool/cron/ 
/var/spool/atjobs/ 


You MUST protect the backup media from unauthorized access, because the copied data does not have the access 
control mechanisms of the original file system. Among other critical data, it contains the secret keys used by the SSH 
and stunnel servers, as well as the /etc/shadow password database. Store the backup media at least as securely as the 
server itself. 


A RECOMMENDED method to track changes is to use a version control system. RCS is easy to set up because 
it does not require setting up a central repository for the changes, and you can use shell scripting to automate the 
change tracking. RCS is not included in the evaluated configuration, see rcsintro(1) in the res RPM package for more 
information. Alternatively, you can create manually create backup copies of the files and/or copy them to other servers 
using scp(1). 
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4.3 Gaining superuser access 


System administration tasks require superuser privileges. Since directly logging on over the network as user root” 
is disabled, you MUST first authenticate using an unprivileged user ID, and then use the su command to switch 
identities. Note that you MUST NOT use the ’root’ rights for anything other than those administrative tasks which 
require these privileges, all other tasks MUST be done using your normal (non-root) user ID. 


You MUST use the su(1) command in exactly the following way to gain superuser access: 
/bin/su =- 


This ensures that the correct binary is executed irrespective of PATH settings or shell aliases, and that the root shell 
starts with a clean environment not contaminated with the starting user’s settings. This is necessary because the .profile 
shell configuration and other similar files are writable for the unprivileged ID, which would allow an attacker to easily 
elevate privileges to root if able to subvert these settings. 


The administrator MUST NOT add any directory to the root user's PATH that are writable for anyone other than ’root’, 
and similarly MUST NOT use or execute any scripts, binaries or configuration files that are writable for anyone other 
than ’root’, or where any containing directory is writable for a user other than ’root’. 


4,4 Installation of additional software 
Additional software packages MAY be installed as needed from the SLES CDs, provided that they do not conflict with 
the security requirements. 


Any additional software added is not intended to be used with superuser privileges. The administrator MUST use only 
those programs that are part of the original evaluated configuration for administration tasks, except if the administrator 
has independently ensured that use of the additional software is not a security risk. 


Administrators MAY add scripts to automate tasks as long as those only depend on and run programs that are part of 
the evaluated configuration. 


The security requirements for additional software are: 


Kernel modules MUST NOT be installed or loaded. 


Device special nodes MUST NOT be added to the system. 


setuid root or setgid root programs MUST NOT be added to the system. Programs which use setuid or setgid 
bits to run with identities other than 'root' MAY be added. 


The content, permissions and ownership of all existing filesystem objects (including directories and device 
nodes) that are part of the evaluated configuration MUST NOT be modified. Files and directories MAY be 
added to existing directories provided that this does not violate any other requirement. 


Programs automatically launched with 'root' privileges MUST NOT be added to the system. Exception: pro- 
cesses that immediately and permanently switch to a non privileged identity on launch are permitted, 1.e. by using 
su USERID -c LAUNCH COMMAND in the startup file, or alternatively by using the setgroups(2), setgid(2) 
and setuid(2) system calls in a binary. (seteuid(2) etc. are insufficient.) 





Automatic launch mechanisms are: 


— Entries in /etc/inittab 


Executable files or links in /etc/init.d/ and its subdirectories 


— Entries in /etc/xinetd.conf 


Scheduled jobs using cron (including entries in /etc/cron* files) or at. 
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Examples of programs that usually do not conflict with these requirements and therefore MAY be installed are compil- 
ers, interpreters, network services running with non-root rights, and similar programs. The requirements listed above 
MUST be verified in each specific case. 


4.5 Scheduling processes using cron and at 


The cron(8) program schedules programs for execution at regular intervals. Entries can be modified using the 
crontab(1) program - the file format is documented in the crontab(5) manual page. 


You MUST follow the rules specified for installation of additional programs for all entries that will be executed by the 
"root user. Use non-root crontab entries in all cases where ’root’ privileges are not absolutely necessary. 


The at(1) and batch(1) programs execute a command line at a specific single point of time. The same rules apply as 
for jobs scheduled via cron(8). Use atq(1) and atrm(1) to manage the scheduled jobs. 


Errors in the non interactive jobs executed by cron and at are reported in the system log files in /var/log/, and 
additionally via e-mail to the user who scheduled it. 


Permission for users to schedule jobs with cron and at is controlled through allow and deny files: 


/etc/at.allow 
/etc/at.deny 
/var/spool/cron/allow 
/var/spool/cron/deny 


The allow file has precedence if it exists, then only those users whose usernames are listed in it are permitted to use the 
service. If it does not exist, the deny file is used instead and all users who are not listed in that file can use the service. 


In the SLES distribution, the allow files do not exist, and deny files are used to prevent system-internal IDs and/or 
guest users from using these services. You MAY add to the deny files, but you MUST NOT remove any of the entries 
that were in the file as originally distributed. 


You MAY create allow files (owner and group ’root’, permissions 0600), but if you do so, you MUST NOT add any 
username to the allow file that is listed in the originally distributed deny file. 


The distributed file /etc/at.deny contains: 


alias 
backup 
bin 
daemon 
ftp 
games 
gnats 
guest 
irc 

lp 
mail 
man 
nobody 
operator 
proxy 
amaild 
qmaill 
qmailp 
gmailg 
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qmailr 
qmails 
sync 

sys 
www-data 


The distributed file /var/spool/cron/deny contains: 


guest 
gast 


4.6 Mounting filesystems 


If any filesystems need to be mounted in addition to those set up at installation time, the following mount options 
MUST be used if the filesystems contain data that is not part of the evaluated configuration: 


nodev, nosuid, acl 


This is necessary to ensure that mounting the filesystem does not introduce capabilities that could violate the security 
policy. Note that these settings do not completely protect against malicious code and data, therefore you MUST also 
verify that the data originates from a trustworthy source and does not compromise the server’s security. Specifically, 
be aware of the following issues: 


e Even unprivileged programs and scripts can contain malicious code that uses the calling user’s rights in unin- 
tended ways, i.e. introducing trojan horses in the system, revealing confidential documents or corrupting the 
user’s data. 


e Data on the additional filesystem MUST have appropriate access rights to prevent disclosure to or modification 
by unauthorized users. Be aware that imported data may have been created using user names and permissions 
that do not match your system’s security policies. 


We RECOMMEND adding the noexec mount option to avoid accidental execution of files or scripts on additional 
mounted filesystems. 


Disk space MAY be added by mounting empty filesystems created using mk fs .ext 3 and optionally moving existing 
files and directories onto them. The mount option acl MUST be specified for each additional ext3 filesystem. 


The filesystem MUST be mounted on an empty directory that is not used for any other purpose. We RECOMMEND 
using a subdirectory of /mnt for temporary disk mounts and subdirectories of /media for removable storage media. 


Example: 

+ mount /dev/cdrom /media/cdrom -t iso9660 -o nodev,nosuid, noexec 
You MAY also add an equivalent configuration to /etc/fstab, i.e.: 

/dev/cdrom /media/cdrom iso9660 ro,noauto,nodev, nosuid,noexec 0 0 


You MUST NOT use the user flag, ordinary users are not permitted to mount filesystems (this is also enforced by the 
deletion of the SUID bit on the mount command). 
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4.7 Managing user accounts 


Use the useradd(8) command to create new user accounts, then assign a default password for the user (or alternatively 
permit the user to choose their own initial password if they are present). Refer to the manual pages for useradd(8) and 
passwd(1) for more information. User account names are at maximum 8 characters long. To force the user to choose 
a new password immediately after the first login, the time of the last change of the password MUST be set with the 
chage command. 


Example: 


useradd -m -c "John Doe" jdoe 
passwd jdoe 
chage -d 1970-01-01 jdoe 


If necessary, you MAY reset the user's password to a known value using passwd USER, and entering the new 
password. You cannot recover the previously used password, since the hash function used is not reversible. 


You MAY use the usermod(8) command to change a user's properties. For example, if you want to add the user 'jdoe' 
to the trusted group, you could use the following: 


# List the groups the user is currently a member of: 
groups jdoe 


# Add the additional group 
usermod -G $(su jdoe -c groups | sed 's/ /,/g’),trusted jdoe 


Users MAY be locked out (disabled) using passwd -1 USER, and re-enabled using passwd -u USER. 


The chage(1) utility MAY be used to view and modify the expiry settings for user accounts. Unprivileged users are 
able to view but not modify their own expiry settings. 


The userdel(8) utility removes the user account from the system, but does not remove files outside the home directory 
(and the mail spool file), or kill processes belonging to this user. Use kill (or reboot the system) and find to do so 
manually if necessary, 1.e.: 


# Which user to delete? 
U=jdoe 


# Lock user account, but don’t remove it yet 
passwd -1 SU 


# Kill all user processes, repeat if needed (or reboot) 
kill -9 ‘ps -la --User Sul awk (print $4}’* 


$ Recursively remove all files and directories belonging to user 
# (Careful - this may delete files belonging to others if they 
# are stored in a directory owned by this user.) 
find / -depth \( ! -fstype ext3 -prune -false \) \ 
-o -user $U -exec rm -rf {} \; 


# Remove cron and at jobs 
crontab -u $U -r 
find /var/spool/atjobs -user $U -exec rm {} \; 
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# Now delete the account 
userdel $U 


You MAY specify a script that userdel executes when deleting users in /etc/login.defs. 


If you need to create additional groups or modify existing groups, use the groupadd(8), groupmod(8) and groupdel(8) 
commands. 


Group passwords are NOT supported in the evaluated configuration, and have been disabled by removing the setuid 
bit from the newgrp(8) program. You MUST NOT re-enable this feature and MUST NOT use passwd(1) with the -g 
switch or the gpasswd(1) command to set group passwords. 


When creating a new user, you will define an initial password for this user. You MUST transfer this initial password in 
a secure way to the user, ensuring that no third party gets the information. For example, you can tell the password to 
a user personally known to you. If this is not possible, you MAY send the password in written form in a sealed letter. 
This applies also when you set a new password for a user (i.e. in case the user has forgotten his password). You need 
to advise the user that he MUST change this initial password when he first logs into the system and select his own 
password in accordance with the rules defined in section 86.3 "Password policy”. 


4.8 SYSV shared memory and IPC objects 


The system supports SYSV-compatible shared memory, IPC objects and message queues. If programs fail to release 
resources they have used (i.e. due to a crash), the administrator MAY use the ipcs(8) utility to list information about 
them, and ipcrm(8) to force deletion of unneeded objects. Note that these resources are also released when the system 
is rebooted. 


For additional information, please refer to the msgctl(2), msgget(2), msgrcv(2), msgsnd(2), semctl(2), semget(2), se- 
mop(2), shmat(2), shmctl(2), shmdt(2), shmget(2) and ftok(3) manual pages. 


4.9 Configuring secure network connections with stunnel 
4.9.1 Introduction 


The stunnel program is a flexible and secure solution for setting up encrypted network connections, enabling the use of 
strong encryption even for applications that are not able to use encryption natively. stunnel uses the OpenSSL library 
for its encryption functions, and the corresponding openss/(1) command line tool for key management. 


Stunnel has three main operating modes: 


e Accept incoming SSL-encrypted TCP connections, and run a specific program to handle the request. 


This is similar to how xinetd launches programs, and any program compatible with xinetd can also be used for 
this purpose. It must read and write the communication data on the stdin and stdout file descriptors and stay in 
the foreground. stunnel also supports switching user and group IDs before launching the program. 


e Open a SSL connection to a remote SSL-capable TCP server, and copy data to and from stdin and stdout. 
e Bind a TCP port to accept incoming unencrypted connections, and forward data using SSL to a prespecified 


remote server. 


The following diagram shows a sample usage scenario: 
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In this scenario, neither the client nor the server have administrator privileges, they are running as normal user pro- 
cesses. Also, the client and server do not support encryption directly. 


stunnel makes a secure communication channel available for the client and server. On the client, stunnel is accepting 
connections on TCP port 82. The client connects to this port on the local machine using normal unencrypted TCP, 
stunnel accepts the connection, and opens a new TCP connection to the stunnel server running on the remote machine. 
The stunnel instances use cryptographic certificates to ensure that the data stream has not been intercepted or tampered 
with, and then the remote stunnel opens a third TCP connection to the server, which is again a local unencrypted 
connection. 


Any data sent by either the client or server is accepted by the corresponding stunnel instance, encrypted, sent to the 
other stunnel, decrypted and finally forwarded to the receiving program. This way, no modifications are required to 
the client and server. 


To set up a secure connection compliant with the evaluated configuration, you MUST start the stunnel server(s) with 
administrator rights, and you MUST use a TCP port in the administrator-reserved range 1-1023 to accept incoming 
connections. 


stunnel MAY also be used to set up encrypted connections by non-administrative users using ports in the range 1024- 
65536. This is permitted, but it is outside of the scope of the evaluated configuration and not considered to be a trusted 
connection. 


Any network servers and clients other than the trusted programs described in this guide (stunnel, sshd, vsftpd (run 
via xinetd), postfix and Ipd) MUST be run using non-administrator normal user identities. Programs run from stunnel 
MUST be switched to a non-root user ID by using the —s and —g flags. 


We RECOMMEND configuring any such servers to accept connections only from machine-local clients, either by 
binding only the localhost IP address 127.0.0.1, or by software filtering inside the application. This ensures that the 
only encrypted connections are possible over the network. Details on how to do this depend on the software being used 
and are beyond the scope of this document. 


Please refer to the stunnel(1) and openssl(1) man pages for more information. 


4.9.2 Creating an externally signed certificate 


We strongly RECOMMEND that you have your server’s certificate signed by an established Certificate Authority 
(CA), which acts as a trusted third party to vouch for the certificate’s authenticity for clients. Please refer to the 
openssl(1) and reg(1) man pages for instructions on how to generate and use a certificate signing request. 


Create the server’s private key and a certificate signing request (CSR) with the following commands: 
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touch /etc/stunnel/stunnel.pem 


chmod 400 /etc/stunnel/stunnel.pem 


openssl req -newkey rsa:1024 -nodes Y 
-config /usr/share/doc/packages/stunnel/stunnel.cnf \ 
-keyout /etc/stunnel/stunnel.pem -out /etc/stunnel/stunnel.csr 


You will be prompted for the information that will be contained in the certificate. Most important is the "Common 
Name”, because the connecting clients will check if the hostname in the certificate matches the server they were trying 
to connect to. If they do not match, the connection will be refused, to prevent a ’man-in-the-middle’ attack. 


Here is a sample interaction: 


Using configuration from /usr/share/doc/packages/stunnel/stunnel.cnf 
Generating a 1024 bit RSA private key 
SAN see eset ++++++ 


You are about to be asked to enter information that will be incorporated 
into your certificate reguest. 

What you are about to enter is what is called a Distinguished Name or a DN. 
There are guite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter ’.’, the field will be left blank. 

Country Name (2 letter code) [PL] :US 

State or Province Name (full name) [Some-State] :TX 

Locality Name (eg, city) [] :Austin 

Organization Name (eg, company) [Stunnel Developers Ltd]:Example Inc. 
Organizational Unit Name (eg, section) []: 

Common Name (FODN of your server) [] :www.example.com 

Common Name (default) []:localhost 





The file /etc/stunnel/stunnel.pem will contain both the certificate (public key) and also the secret key needed by the 
server. The secret key will be used by non-interactive server processes, and therefore cannot be protected with a 
passphrase. You MUST protect the secret key from being read by unauthorized users, to ensure that you are protected 
against someone impersonating your server. 


Next, send the generated CSR file /etc/stunnel/stunnel.csr (not the private key) to the CA along with whatever authenti- 
cating information they require to verify your and your server’s identity. The CA will then generate a signed certificate 
from the CSR, using a process analogous to openssl reg -x509 -in stunnel.csr -key CA-key.pem 
-out signed-cert.pem. 


When you receive the signed certificate back from the CA, append it to the file /etc/stunnel/stunnel.pem containing the 
private key: 


cat signed-cert.pem >> /etc/stunnel/stunnel.pem 


Make sure that the resulting file contains no extra whitespace or other text in addition to the key and certificate: 
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SES BEGIN RSA PRIVATE KEY----- 
MIICXOIBAAKBgOoCzF3ezbZFLjgv1YHNXnBn18 jmeO5MmkvdNw9XkKLnA2ONKOmvP Oo 
Lassie 
4t jzwTFxPKYVAW3DnXxRAkAva f1mbc +GTMoAiepXPVfgSpW20y5r/wa0449phD5T 
OUNbDU+ezu0Pana7mmmvg 3Mi +Bugw 10/ iU+G/grG6VGj 

ND RSA PRIVATE KEY----- 

=== BEGIN CERTIFICATE----- 
MIIC14CCAj+gAwIBAgIBADANBgkqhk iG 9w0BAQQFADBXMQswCQYDVQQGEWJQTDET 
¡PO 
bIbYKL601kE/vhGmRXcXOrZzkfu8sgJv1JsDpoTpAdUnmvssUYObchgFo4Hhzkvs 
U/whL2/8RFv5 jw== 

SaaS END CERTIFICATE----- 
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You MAY distribute the original signed certificate (signed-cert.pem in this example) to clients, it does not contain any 
confidential information. Never distribute the file containing the private key, that is for use by the stunnel server 
only. 


4.9.3 Creating a self-signed certificate 


Alternatively, you MAY use a self-signed certificate instead of one signed by an external CA. This saves some time 
and effort when first setting up the server, but each connecting client will need to manually verify the certificate’s 
validity. Experience shows that most users will not do the required checking and simply click OK” for whatever 
warning dialogs that are shown, resulting in significantly reduced security. Self-signed certificates can be appropriate 
for controlled environments with a small number of users, but are not recommended for general production use. 


Create a self-signed host certificate with the following commands: 
touch /etc/stunnel/stunnel.pem 
chmod 400 /etc/stunnel/stunnel.pem 


openssl req -new -x509 -days 365 -nodes Y 
-config /usr/share/doc/packages/stunnel/stunnel.cnf \ 
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem 


The secret key contained in this file MUST be kept secret. 


You MAY extract the public certificate from this file for distribution to clients. Make sure you do not accidentally 
distribute the secret key: 





sed '1,/END/d’ < /etc/stunnel/stunnel.pem > signed-cert.pem 
The client has no independent way to verify the validity of a self-signed certificate, therefore each client MUST 
manually verify and confirm the validity of the certificate. 


One method is to give a copy of the self-signed certificate to the client (using a secure transport mechanism, not 
e-mail), and import it into the client directly. The st unne1 client uses the -A and -a options for this purpose. 


Alternatively, many client programs (not stunnel) can interactively import the certificate when connecting to the 
server. The client will display information about the server's certificate including an MDS key fingerprint. You need 
to compare this fingerprint with the original fingerprint of the server’s certificate. 


Run the following command on the server to display the original certificate’s fingerprint: 
openssl x509 -fingerprint -in /etc/stunnel/stunnel.pem 


Most clients will store the certificate for future reference, and will not need to do this verification step on further 
invocations. 
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4.9.4 Activating the tunnel 


In the evaluated configuration, you MUST use the following cipher suite as defined in the SSL v3 protocol: 


RC4-SHA = SSL RSA WITH RC4 128 SHA (SC1.8) 





stunnel does not support a central configuration file, therefore you MUST specify the supported cipher by using the 
-C command line flag on each invocation of the stunnel client or server: 


stunnel -C RC4-SHA ... 


For a service or tunnel that will only be used temporarily, simply launch the stunnel program from the command 
line. The tunnel will be available for multiple clients, but will not be started automatically after a reboot. To shut down 
the tunnel again, search for the command line inthe ps ax process listing and kill the PID shown: 


kill ‘ps ax | grep -v grep | grep 'stunnel.“-d 495’ | awk "(print S1)' ' 


Permanent tunnels MAY be added to /etc/inittab, these will be re-launched automatically whenever they are terminated, 
as well as after a reboot. Use this method for both client and server stunnel trusted instances, using the -c and -d 
flags appropriately: 


sl:respawn:/usr/sbin/stunnel -f [FLAGS] >>/var/log/stunnel.s1.log 2>81 
s2:respawn:/usr/sbin/stunnel -f [FLAGS] >>/var/log/stunnel.s2.log 2>81 


Use the same FLAGS as when running from the command line, but add the — £ (foreground) flag (otherwise init will 
misinterpret the backgrounded server as having died and will try to restart it immediately, causing a loop), and redirect 
the output to a log file. 


4.9.5 Using the tunnel 


If the client program supports SSL encryption, it will be able to communicate with the stunnel service directly. You 
will need to verify and accept the server’s certificate if the client cannot recognize it as valid according to its known 
certification authorities. 


Tf the client program does not support SSL directly, you can use stunnel as a client, or indirectly by setting up a 
proxy that allows the client to connect to an unencrypted local TCP port. 


WARNING: The stunnel client does not verify the server’s certificate by default. You MUST specify either -v 2 
or -v 3 on the client command line to switch on certificate verification. 


As described in the previous section, you MUST use the -C RC4-SHA command line parameter to ensure that the 
cipher selection supported in the evaluated configuration will be used. 


You MAY also activate client certificate verification for the server to verify the client’s identity. 
4.9.6 Example 1: system status view 


As administrator, install a server on TCP port 81 that accepts SSL connections and reports the server’s memory usage 
statistics to connecting clients: 


stunnel -C RC4-SHA -d 81 -g nogroup -s nobody \ 
-1 /usr/bin/free -- free 
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As a normal user, run stunnel in client mode to connect to the server and retrieve the information: 


stunnel -C RC4-SHA -A signed-cert.pem -v 3 -c \ 
=F 127001: 31 


Other information services can be added in a similar fashion by adding more stunnel servers with appropriate command 
lines. 


4.9.7 Example 2: Using outbound encryption with a non-encrypting client 


This example shows how the standard telnet client can be used to retrieve information from an SSL-enabled server. 
It assumes that the ”free” server is running as described in the previous example. 


As administrator, set up a proxy that accepts unencrypted connections on TCP port 82 and forwards the data using 
SSL to the (remote) server on port 81: 


stunnel -C RC4-SHA -A signed-cert.pem -v 3 -c -d 82 N 
Sr 12°7-20'..0::1.,.2°84. 


Then, as a normal user, use unencrypted ”telnet” to connect to the proxy: 


telnet localhost 82 


4.9.8 Example 3: Secure SMTP delivery 


Normal SMTP e-mail delivery is not encrypted, but most mail clients support the enhanced SMTPS protocol that uses 
SSL encryption. The protocol itself is unchanged other than being encrypted. 


stunnel can easily be used as a proxy to receive SMTPS connections on the standard port expected by clients 
(465/tcp), and then forward the data to the mail server listening on the SMTP port (25/tcp). The mail server con- 
figuration does not need to be modified to support encryption of incoming mail. Run the following command as 
administrator: 


stunnel -C RC4-SHA -d 465 -r 25 


4.10 The Abstract Machine Testing Utility (AMTU) 


The security of the operating system depends on correctly functioning hardware. For example, the memory subsystem 
uses hardware support to ensure that the memory spaces used by different processes are protected from each other. 


The Abstract machine Testing Utility (AMTU) is distributed as an RPM inside the certification-sles-eal3 RPM, and 
was installed previously as described in the section 83.2 ”Add and remove packages”. 


To run all supported tests, simply execute the amtu program: 


# amtu 

Executing Memory Test... 

Memory Test SUCCESS! 

Executing Memory Separation Test... 
Memory Separation Test SUCCESS! 
Executing Network I/O Tests... 
Network I/O Controller Test SUCCESS! 
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Executing I/O Controller - Disk Test... 

I/O Controller - Disk Test SUCCESS! 

Executing Supervisor Mode Instructions Test... 
Privileged Instruction Test SUCCESS! 











The program will return a nonzero exit code on failure, which MAY be used to automatically detect failures of the 
tested systems and take appropriate action. 


Please refer to the amtu(8) man page for more details. 


5 Monitoring, Logging & Audit 


5.1 Reviewing the system configuration 


We RECOMMEND that you review the system’s configuration at regular intervals to verify if it still agrees with the 
evaluated configuration. This primarily concerns those processes that may run with ’root’ privileges. 


The permissions of the device files /dev/* MUST NOT be modified. 


In particular, review settings in the following files and directories to ensure that the contents and permissions have not 
been modified: 


/etc/at.allow 
/etc/at.deny 
/etc/audit/* 
/etc/cron.d/* 
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/* 
/etc/cron.weekly/* 
/etc/crontab 
/etc/ftpusers 
/etc/group 
/etc/gshadow 
/etc/hosts 
/etc/init.d/* 
/etc/inittab 
/etc/ld.so.conf 
/etc/login.defs 
/etc/modules.conf 
/etc/pam.d/* 
/etc/passwd 
/etc/securetty 
/etc/security/pam_pwcheck.conf 
/etc/security/pam_unix2.conf 
/etc/shadow 
/etc/ssh/ssh_config 
/etc/ssh/sshd_config 
/etc/sysconfig/* 
/etc/vsftpd.conf 
/etc/xinetd.conf 


/usr/lib/cracklib_dict.* 


5 MONITORING, LOGGING & AUDIT 46 


/var/log/audit.d/* 
/var/spool/atjobs/* 
/var/spool/cron/* 
/var/spool/cron/allow 
/var/spool/cron/deny 


Use the command last log to detect unusual patterns of logins. 


Also verify the output of the following commands (run as ’root’): 


atg 
crontab -1 
find / \( -perm -4000 -o -perm -2000 \) -1s 
find / VX -type f -o -type d -o -type b Y) -perm -0002 -ls 
find /bin /boot /etc /lib /sbin /usr \ 
! -type 1 \( ! -uid 0 -o -perm +022 \) 


5.2 System logging and accounting 
System log messages are stored in the /var/log/ directory tree in plain text format, most are logged through the sys- 
logd(8) and klogd(8) programs, which MAY be configured via the file /etc/syslog.conf. 


The Zogrotate(8) utility, launched from /etc/cron.daily/logrotate, starts a fresh log file every week or when they 
reach a maximum size and automatically removes or archives old log files. You MAY change the configuration files 
/etc/logrotate.conf and /etc/logrotate.d/* as required. 


In addition to the syslog messages, various other log files and status files are generated in /var/log by other programs: 


File Source 

YaST2 Directory for YaST2 log files 

audit.d Directory for LAuS logs 

boot.msg Messages from system startup 

lastlog Last successful log in (see lastlog(8)) 

vsftpd.log Transaction log of the VSFTP daemon 

localmessages Written by syslog 

mail Written by syslog, contains messages from the MTA (postfix) 
messages Written by syslog, contains messages from su and ssh 

news / syslog news entries (not used in the evaluated configuration) 
warn Written by syslog 

wtmp Written by the PAM susbystem, see who(1) 


xinetd.log 


Written by xinetd, logging all connections 


Please see syslog(3), syslog.conf(5) and syslogd(8) man pages for details on syslog configuration. 


The ps(1) command can be used to monitor the currently running processes. Using ps faux will show all currently 
running processes and threads. 


5.3 Configuring the audit subsystem 


The audit subsystem implements a central monitoring solution to keep track of security relevant events, such as changes 
and change attempts to security critical files. 
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This is accomplished through two separate mechanisms. All system calls are intercepted, and the kernel writes the 
parameters and return value to the audit log for those calls that are marked as security relevant in the filter configuration. 
In addition, some trusted programs contain audit-specific code to write audit trails of the actions they are requested to 
perform. 


Please see auditd(8), laus(7), auditd.conf (5), aucat(8) and augrep(8) for details. 


5.3.1 Intended usage of the audit subsystem 


CAPP (the Controlled Access Protection Profile) specifies the auditing capabilities that a compliant system must 
support. The evaluated configuration described here is based on these requirements. 


WARNING: Some of the CAPP requirements may conflict with your specific requirements for the system. For exam- 
ple, a CAPP-compliant system MUST disable logins if the audit subsystem is not working. Please ensure that you are 
aware of the consequences if you enable auditing. 


CAPP is designed for a multiuser system, with multiple unique users who maintain both shared and private resources. 
The auditing features are intended to support this mode of operation with a reliable trail of security-relevant operations. 
It is less useful for a pure application server with no interactive users. 


Please be aware that the auditing subsystem will, when activated, cause some slowdown for applications on the server. 
The impact depends on what the application is doing and how the audit subsystem is configured. As a rule of thumb, 
applications that open a large number of separate files are most affected, and CPU-bound programs should not be mea- 
surably affected. You will need to balance the performance requirements against your security needs when deciding if 
and how you want to use auditing. 


5.3.2 Selecting the events to be audited 


You MAY make changes to the set of system calls and events that are to be audited. CAPP requires that the system 
has the capability to audit security relevant events, but it is up to you to choose how you want to use these capabilities. 
Itis acceptable to turn off system call auditing completely even in an evaluated configuration, for example on a pure 
application server with no interactive users on the system. 


The configuration file /etc/audit/filter.conf by default contains a suggested setup for a typical multiuser system, all 
access to the security relevant files (as configured in /etc/audit/eal3files.conf) is audited, along with other security 
relevant events such as system reconfiguration. 


You MAY selectively disable and enable auditing for specific events or users as required by setting up predicates and 
filters in the filter.conf file. The following excerpt from the default configuration is an example: 


predicate is-non-root-uid = !eq(0); 
filter not-root-user = is-non-root-uid(login-uid) ; 


tag "Open_Denied" 

syscall open = denied(result) 
&& (( not-root-user | | effectivenonroot ) 
&& is-sysdir(arg0) ); 


Please refer to the audit-filter(5) man page for more details. 


5.3.3 Reading and searching the audit records 


Use the aucat(8) and augrep(8) tools to retrieve information from the audit logs. The information available for re- 
trieval depends on the active filter configuration. If you modify the filter configuration, we RECOMMEND keeping a 
datestamped copy of the applicable configuration with the log files for future reference. 
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For example: 


# view the last 100 audit records 
aucat tail -100 


# view all successful PAM authentications 
augrep -e TEXT -U AUTH_success 





# all actions recorded for a specified login UID (this includes 
# actions done by this user with a different effective UID, 

# i.e. via setuid programs or as part of a "su" session) 

augrep -1 kw 


# file removals 
augrep -e SYSCALL -S unlink 


Of course, you can use other tools such as plain grep(1) or scripting languages such as awk(1), python(1) or perl(1) to 
further analyze the text output generated by the low-level audit tools. 


5.3.4 Starting and stopping the audit subsystem 


The audit subsystem is only active when all of the following conditions are met: 


e The audit.o kernel module must be loaded. 
e The audit daemon auditd must be running. 


e Processes are attached to the audit subsystem by explicitly launching them with the aurun(8) wrapper program; 
starting them from an interactive shell session that used the pam_laus.so PAM module when logging in; or when 
syscall auditing is enabled globally for all processes (setting AUDIT ATTACH.ALI- I in /etc/sysconfig/audit). 


If the audit daemon is terminated, no audit events are generated until it is restarted. To avoid lost audit records when 
you have modified the filter configuration, you MUST use the command auditd -r to re-load the filters. 


WARNING: auditd -r will not reload /etc/audit/audit.conf, it only reloads the filter configuration file. To activate 
changes to this configuration file, you MUST restart the audit daemon: 


/etc/init.d/audit restart 


You MUST NOT attempt to reload the configuration by sending auditd a HUP signal or by running 
/etc/init.d/audit reload, because that will not write the required audit record showing the reconfigura- 
tion. You MUST use one of the two restart methods described above. 


If the audit module is unloaded with rmmod, all processes are detached permanently from the audit subsystem. They 
can only be re-attached when using the AUDIT ATTACH ALL=1 option in /etc/sysconfig/audit. 
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5.3.5 Storage of audit records 


The RECOMMENDED operating mode for the audit records is "bin mode” (“bin” as in bucket), using several preal- 
located files of constant size for the audit records. auditd will write data to the first file, and once it is filled switch 
to the next one, re-using each one in turn in a round-robin fashion. 


Each time a bin is filled, audita will launch the configured notification program to process the file. The default 
configuration saves a copy of each filled file before re-using the storage. If the notification program exits with a failure 
status, i.e. due to lack of disk space, audita will then take the configured action, by default setting the message 
queue size to zero and thereby blocking all processes that try to write new records. These audited processes will sleep 
until audit d resumes processing (i.e. once disk space has been freed by the administrator), then they will be woken 
up by the kernel and proceed running normally. 


You MAY instead configure round-robin reuse of the files without saving, to keep the disk space used by the audit logs 
constant. To do that, remove the ”-S /var/log/audit.d/save.%u” option in /etc/audit/audit.conf. In this configuration, 
you have access to a fixed amount of historical audit data, but any new events will cyclically overwrite old data. A user 
could exploit this mechanism by intentionally generating a large number of irrelevant entries to wipe out the previously 
generated records. 


5.3.6 Reliability of audit data 


By default, the audit records are written using the normal Linux filesystem buffering, which means that information 
may be lost in a crash because it has not been written to the physical disk yet. Any applications that read the records 
while the system is running will always get the most current data out of the buffer cache, even if it has not yet been 
committed to disk, so this does not affect normal operation. If you want to ensure that auditd always forces a disk 
write for each record, you MAY set the ”sync = yes,” option in /etc/audit/audit.conf, but be aware that this will result 
in significantly reduced performance and high strain on the disk. 


The audit record files are not protected against a malicious administrator, and are not intended for an environment 
where the administrators are not trustworthy. 


5.4 System configuration variables in /etc/sysconfig 


The system uses various files in /etc/sysconfig to configure the system. Most files in this directory tree contain variable 
definitions in the form of shell variables that are either read by the rc scripts at system boot time or are evaluated by 
the SuSEconf ig command and used as input to re-write other configuration files on the system. 





The following is a brief overview of the security relevant files, including the specification of permitted changes. 





In the evaluated configuration, no changes are permitted that would require running the SuSEcon fig command to re- 
write other configuration files. You MAY run SuSEconf ig, but it will have no effect on the evaluated configuration. 





541 suseconfig 


This file specifies global configuration variables. Most notably ENABLE_SUSECONFIG, which specifies whether 
SuSEconfig is allowed to modify other configuration files based on the variables in /etc/sysconfig. 


Security relevant entries that MUST NOT be changed are: 











ENABLE_SUSECONFIG="yes" Is SuSEconfig allowed to modify configuration files? 




















MAIL REPORTS. TO="root" Where are system status mails sent to 
CWD. IN. ROOT. PATH="no" There MUST NOT be an entry for the current directory 
CWD IN USER PATH="no" There MUST NOT be an entry for the current directory 
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5.4.2 security 


Specifies the operation mode and the configuration file for the SuSE permission system. Read by the chkstat(8) pro- 
gram which is run automatically by yast 2 after installation of new software. The following settings MUST NOT be 
changed: 











CHECK_PERMISSIONS=set 
PERMISSION_SECURITY="eal3" 











5.4.3 cron 


Configures standard system cron jobs, like deletion of old files in /tmp or update of the man databases. The settings 
are read by the shell scripts /etc/cron.daily/*. Security relevant variables are the following settings which MUST NOT 
be changed: 




















MAX_DAYS_IN_TMP=0 How many days can files stay in /tmp 

TMP_DIRS_TO_CLEAR="/tmp /var/tmp" Which temporary directories are checked 
OWNER_TO_KEEP_IN_TMP="root" Ids for which files will not be erased 
CLEAR TMP DIRS AT BOOTUP-"no" No cleaning of temp directories at boot 

















5.4.4 language 


Sets up the default locale. This MUST NOT be changed, non-root users MAY override these default settings in their 
shell profiles. 


5.4.5 backup 


Configures the backup of the RPM database. MAY be changed. 


5.4.6 boot 


Configures the verbosity and interaction level of the boot process for debugging. Read by bootup scripts in /etc/init.d/. 
MAY be changed. 


5.4.7 displaymanager 


This would configure the display manager for a workstation. It is not used in the evaluated configuration. 


5.4.8 kernel 


Configures modules to be installed in the initrd for system boot. MUST NOT be changed. 


5.4.9 clock 


Configures time zone and system clock, read during system boot. MAY be changed. 
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5.4.10 proxy 


Configures global variables for the use of proxies. Not used in the evaluated configuration. 


5.4.11 windowmanager 


Would select the window manager on a workstation. Not used in the evaluated configuration. 


5.4.12 sysctl 


Configures some system variables for the boot process. The following are security relevant and MUST NOT be 
changed: 




















IP_DYNIP=no The system only has a static address 
IP_TCP_SYNCOOKIES=yes Syn Flood protection 

IP. FORWARD=no Has to be set to yes if the system acts as a router. 
ENABLE SYSRO=no System reguest key MUST be disabled. 

5.4.13 java 


Would configure the Java run time environment if installed. Not used in the evaluated configuration. 


5.4.14 mail 


Configures the MTA. 
Security relevant variables that MUST NOT be changed are: 





SMTPD_LISTEN_REMOTE="no" If set to yes, SuSEconfig will tell postfix to 
accept remote connections. 

















5.4.15 hardware 


Configures hardware parameters (DMA), read during system boot. MAY be changed. 


5.416 printer 


Sets the default printer. MUST NOT be changed, but non-root users may override the setting in their shell profiles. 


5.4.17 news 


Usenet news / NNTP settings. Not used in the evaluated configuration. 


5.4.18 console 


Sets up the console configuration (font, code page, frame buffer). MUST NOT be changed. 
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5.4.19 keyboard 


Sets up the console keyboard (repeat rate, layout, number of virtual consoles). MAY be changed. 


5.4.20 mouse 


Sets up the mouse type. Not used in the evaluated configuration. 


5.4.21 lym 


Sets up LVM. Not used in the evaluated configuration. 


5.4.22 network 


This directory contains the networking configuration and scripts for the interfaces and routes. MAY be modified as 
needed, but IP addresses MUST be static (no DHCP). 


5.4.23 syslog 


Configures the syslog daemon. MAY be changed. 


5.4.24 SuSEfirewall2 


Configures the SuSE firewall. Not used in the evaluated configuration. 


5.4.25 hotplug 


Configures dynamically attached devices (USB, Firewire). Not used in the evaluated configuration. 


5.4.26 ssh 


Configures command line options for the SSH daemon. MUST NOT be changed. 


5.4.27 postfix 


Configures the basic MTA setup. MUST NOT be changed. 


5.4.28 bootloader 


Configures the type of bootloader to use and where to store the boot record. MUST NOT be changed. 


5.4.29 audit 


Configures tunable paramaters for the kernel part of the audit subsystem. MUST NOT be changed. 
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6 Security guidelines for users 


6.1 Online Documentation 


The system provides a large amount of online documentation, usually in text format. Use the man program to read 
entries in the online manual, i.e.: 


man 1s 
man man 


to read information about the 1s and man commands respectively. You can search for keywords in the online manual 
with the apropos(1) utility, i.e.: 


apropos password 


When this document refers to manual pages, it uses the syntax ENTRY(SECTION), ie. /s(1). Usually you do not need 
to provide the section number, but if there are several entries in different sections, you can use the optional —S switch 
and pick a specific one. 


Some programs provide additional information GNU ’texinfo’ format, use the info program to read it, 1.e.: 
info diff 


Additional information, sorted by software package, can be found in the directories /usr/share/doc/packages/*/. Use 
the less(1) pager to read it, 1.e.: 


/usr/share/doc/packages/gpg/FAQ 


Many programs also support a --help, —? or —h switch you can use to get a usage summary of supported command- 
line parameters. 


A collection of How-To documents in HTML format can be found under /usr/share/doc/howto/en/html if the optional 
howtoenh package is installed. 


Please see /usr/share/doc/howto/en/html/Security-HOWTO for security information. The HTML files can be read with 
the w3m browser. 


The SuSE Linux Enterprise server documentation is also installed in electronic form. /usr/share/doc/packages/sles- 
inst-x86+x86-64_en/ contains the installation guide in PDF format, and /usr/share/doc/packages/sles-admin-x86+x86- 
64_en/ the administration manual. Note that the Security Guide (this document) has precedence over other documents 
in case of conflicting recommendations. 


6.2 Authentication 


You MUST authenticate (prove your identity) before being permitted to use the system. When the administrator created 
your user account, he or she will have assigned a user name and default password, and provided that information for 
you along with instructions how to access the system. 


Logging in to the system will usually be done using the Secure Shell (SSH) protocol, alternatively a serial terminal 
may be available. Use the ssh command to connect to the system unless instructed otherwise by the administrator, 
for example: 


ssh jdoe@172.16.0.1 
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The ssh(1) manual page provides more information on available options. If you need to transfer files between systems, 
use the scp(1) or sftp(1) tools. 


Tf this is the first time you are connecting to the target system, you will be prompted if you want to accept the host 
key. If the administrator has provided a key fingerprint for comparison, verify that they match, otherwise type yes to 
continue. You MUST immediately change your initially assigned password with the passwd(1) utility. 


You MUST NOT under any circumstances attempt to log in from an insecure device, such as a public terminal or a 
computer belonging to a friend. Even if the person owning the computer is trustworthy, the computer may not be due 
to having been infected with malicious code. Always remember that the device you are typing your password into 
has the ability to save and re-use your authentication information, so you are in effect giving the computer you are 
using the right to do any and all actions in your name. Insecure handling of authentication information is the leading 
cause for exploits of otherwise secure systems, and SSH can only protect the information during transit, and offers no 
protection at all against an insecure end point. 


When you log out from the system and leave the device you have used for access (i.e. a terminal or a workstation 
with terminal emulation), you MUST ensure that you have not left information on the screen or within an internal 
buffer that should not be accessible to another user. You should be aware that some terminals also store information 
not displayed on the terminal (i.e. passwords, or the contents of a scrollback buffer). Nevertheless this information 
may be extractable by the next user unless the terminal buffer has been cleared. 


If you ever forget your password, contact your administrator, who will be able to assign a new password. 


You MAY use the chsh(1) and chfn(1) programs to update your login shell and personal information if necessary. Not 
all settings can be changed this way, contact your administrator if you need to change settings that require additional 
privileges. 


6.3 Password policy 


All users MUST ensure that their authentication passwords are strong (hard to guess) and handled with appropriate 
security precautions. The password policy described here is designed to satisfy the requirements of the evaluated 
configuration. If your organization already has a password policy defined, your administrator MAY refer you to that 
policy if it is equivalently strong. 


You MUST change the initial password set by the administrator when you first log into the system. You MUST select 
your own password in accordance with the rules defined here. You MUST also change the password if the administrator 
has set a new password (i.e. if you have forgotten your password and requested the administrator to reset the password). 


Your password MUST be a minimum of 8 characters in length. More than 8 characters MAY be used (it is 
RECOMMENDED to use more than 8, best is to use passphrases), and all characters are significant. 


Use at least one character each from the following sets: 


Lowercase letters: abcdefghijklmnopgrstuvwxyz 
Uppercase letters: ABCDEFGHIJKLMNOPORSTUVWXYZ 








Digits: 0123456789 
Punctuation: ESSE" ()*+,-./:7<=>?([\] “_*f | yo 


You MUST NOT base the password on a dictionary word, your real name, login name, or other personal details 
(such as dates, names of relatives or pets), or names of real people or fictional characters. 





You MUST NOT use a simple alphabetic string, palindrome or combinations of adjacent keyboard keys. 


e When you choose a new password, it MUST NOT be a simple variation or permutation of a previously used 
one. 
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e You MUST NOT write the password on paper or store it on electronic devices in unprotected form. Storage in 
a secure location (i.e. envelope in safety deposit box, or encrypted on an electronic device) MAY be accept- 
able, contact your administrator first to ensure that the protection is strong enough to make password recovery 
infeasible for the types of attackers the system is intended to protect against. 


e The password is for you and you only. A password is like a toothbrush - you do not want to share it with anybody, 
even your best friend. You MUST NOT disclose your password to anybody else, or permit anybody else to use 
the system using your identity. 


Note that administrators will never ask you for your password, since they do not need it even if they are required 
to modify settings affecting your user account. 


e You MUST NOT use the same password for access to any systems under external administration, including Inter- 
net sites. You MAY however use the same password for accounts on multiple machines within one administrative 
unit, as long as they are all of an equivalent security level and under the control of the same administrators. 


e You MUST inform the administrator and select a new password if you have reason to believe that your password 
was accidentally disclosed to a third party. 


e If the system notifies you that your password will expire soon or has expired, choose a new one as instructed. 
Contact your administrator in case of difficulty. 


A RECOMMENDED method of generating passwords that fits these criteria while still being easy to memorize is to 
base it on letters of words in a sentence (NOT a famous quotation), including capitalization and punctuation and one 
or two variations. Example: 


"Ask not for whom the bell tolls." 
=> An4wtbt. 





"Password 'P' 9tw:ciSd' too weak; contained in SLES documentation" 
=> P' 9tw;ciSd 


6.4 Access control for files and directories 


Linux is a multiuser operating system. You can control which other users will be able to read or modify your files 
by setting the Unix permission bits and user/group IDs, or (if more precise control is needed) by using POSIX-style 
access control lists (ACLs). 


Note that the administrators ('root”) are able to override these permissions and access all files on the system. Use of 
encryption is RECOMMENDED for additional protection of sensitive data. 


The *umask” setting controls the permissions of newly created files and directories and specifies the access bits that 
will be removed from new objects. Ensure that the setting is appropriate, and never grant write access to others by 
default. The umask MUST include at least the 002 bit (no write access for others), and the RECOMMENDED setting 
is 027 (read-only and execute access for the group, no access at all for others). 


Do not set up world-writable areas in the filesystem - if you want to share files in a controlled manner with a fixed 
group of other users (i.e. a project group), please contact your administrator and request the creation of a user group 
for that purpose. 


Always remember that you are responsible for the security of the data you create and use. Choose permissions that 
match the protection goals appropriate for the content, and that correspond to your organization’s security policy. 
Access to confidential data MUST be on a need-to-know basis, therefore do not make data world-readable unless the 
information is intended to be public. 


Whenever you start a program or script, it will execute with your access rights. This implies that a malicious program 
would be able to read and modify all files that you have access to. Therefore, never execute any code that you have 
received from untrustworthy sources, and do not run commands that you do not understand. 
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Programs can be configured to run with the access rights of the program file’s owner and/or group instead of the rights 
of the calling user. This is the setuid/setgid mechanism, which utilities such as passwd(1) use to be able to access 
security-critical files. You could also create your own setuid/setgid programs via chmod(1), but DO NOT do that 
unless you fully understand the security implications - you would be giving away your access privileges to whoever 
launches the setuid program. Please refer to the "Secure Programming HOWTO” in the unlikely case that you need to 
create such a program, there you will find explanations of the many aspects that must be considered, such as the risk 
of unintended shell escapes, buffer overflows, resource exhaustion attacks and many other factors. 


Please refer to the chmod(1), umask(2), chown(1), chgrp(1), acl(5), getfacl(1), and setfacl(1) manual pages for infor- 
mation, or any of the many available books covering Linux security (cf. Appendix ’Literature’), or ask your system 
administrator for advice. 


6.5 Data import / export 


The system comes with various tools to archive data (tar, star, cpio). If ACLs are used, then only star MUST be used 
to handle the files and directories as the other commands do not support ACLs. The options -H=exustar -acl must be 
used with star. 


Please see star(1) for more information. 


7 Appendix 


7.1 Online Documentation 
If there are conflicting recommendations in this document and in one of the sources listed here, the Security Guide has 
precedence concerning the evaluated configuration. 


Suse Linux Enterprise Server Security Guide (this document], /usr/share/doc/packages/certification-sles-eal3/SLES- 
Security-Guide. * 


SuSE Linux Enterprise Server Installation Guide, /usr/share/doc/packages/sles-inst-x86+x86-64_en/ 
SuSE Linux Enterprise Server Administrator Guide, /usr/share/doc/packages/sles-admin-x86+x86-64_en/ 


David A. Wheeler, "Secure Programming for Linux and Unix HOWTO”, /usr/share/doc/howto/en/html single/Secure- 
Programs-HOWTO. html, http://tldp.org/HOWTO/Secure-Programs-HOWTO/ 


Kevin Fenzi, Dave Wreski, "Linux Security HOWTO”, /usr/share/doc/howto/en/html single/Security-HOWTO.html, 
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ 


7.2 Literature 
Ellen Siever, Stephen Spainhour, Stephen Figgins, & Jessica P. Hekman, "Linux in a Nutshell, 3rd Edition”, O’ Reilly 
2000, ISBN 0596000251 


Simson Garfinkel, Gene Spafford, Alan Schwartz, Practical Unix & Internet Security, 3rd Edition”, O'Reilly 2003, 
ISBN 0596003234 


leen Frisch, "Essential System Administration, 3rd Edition”, O’ Reilly 2002, ISBN 0596003439 


Daniel J. Barrett, Richard Silverman, ”SSH, The Secure Shell: The Definitive Guide”, O’Reilly 2001, ISBN 
0596000111 


David N. Blank-Edelman, ”Perl for System Administration”, O”Reilly 2000, ISBN 1565926099 


Shelley Powers, Jerry Peek, Tim O’Reilly, Mike Loukides, "Unix Power Tools, 3rd Edition”, O’Reilly 2002, ISBN 
0596003307 
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the UNIX(R) Environment’, Addison-Wesley 1992, ISBN 


Linda Mui, "When You Can't Find Your UNIX System Administrator”, O’Reilly 1995, ISBN 1565921046 


7.3 The script /usr/lib/eal3/bin/sles-eal3 


#!/bin/bash 





echo " reconfigure system into EAL3 evaluated configuration" 





usage () { 
echo "Usage: $0 [OPTIONS]" 
echo "Options:" 
echo " -h|--help 
echo " -i|--interactive 
echo " -a|--automated 
echo " -v|--verbose 

} 

args=" Ss kw 


base=/usr/lib/eal3 
lib=$base/lib 
funcs=Š$base/ functions 





LOGFILE=/var/log/certification-sles- 


show help" 

run interactively (default)" 

run noninteractively" 

print detailed information while running" 


eal3 


# get all functions that this script needs: 


for f in Sfuncs/*.sh; do 
Sf 


done 





# run various sanity checks before proceeding 


then 


if (| "‘/usr/bin/id -nu'" != "root" ]; 
die "This script must be run as root." 

fi 

if [ ! -f /proc/1/cmdline ]; then 


die "/proc is not mounted. Running a test?" 


fi 


if mount | grep ' / ” | grep "type ext3.*,acl" >/dev/null; then :; else 


die "root filesystem must be ext3 
fi 


if mount | grep "type nfs"; then 


with ACL support on. See SG." 


die "please unmount all NES shares first. See SG." 


fi 


if grep 'trusted:.*:.*:.” /etc/group >/dev/null; then :; else 
die "No trusted users. You won't be able to use 'su'. See SG." 


fi 
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# special case to avoid a common cause of confusion - xinetd is not 
# in the default install and people keep forgetting it. 


# 
if rpm -q xinetd >/dev/null 2>81; then :; else 
die "You need to have xinetd installed to proceed. 


if ls -1 /etc/init.d/audit-* 2>/dev/null; then 


See SG." 


log "You have leftover files from an obsolete version of this script." 


die "Remove /etc/init.d/audit-* before continuing." 


if ls -1 /lib/liblaus.so* 2>/dev/null; then 


die "obsolete /lib/liblaus.so* found, please remove" 


# if the tests above were okay, let's proceed. 


interactive="yes" 
verbose="" 


# commandline parsing 


while [ ! -z "$1" ]; do 
case $1 in 
-h|--help) 
usage 
exit 0 
A 
-i|--interactive) 


interactive=yes 

shift 

ri 
-a|--automated) 

interactive="" 

shift 

ri 
-v|--verbose) 

verbose="yes" 

shift 


UA 


usage 
exit 1 


VI 


# open logfile with first log: 


logn " --- ‘date* script running: $0 args: $args" 
if [ ! -z "Sinteractive" ]; then 
VF fp St: O Ji then 





die "Interactive mode reguested, but 


stdin 


is not a terminal" 
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fi 
echo "You have chosen to run the reconfiguration in interactive mode." 
echo "The evaluated configuration requires that *all* the steps are" 
echo "done. If you want to do this automatically, stop and re-run the" 
echo "script in noninteractive mode ('-a” option)." 
echo 
echo "The reconfiguration involves removing packages and modifying the" 
echo "system configuration, which may result in a system that is" 
echo "not useful to you. For example, the X11 desktop is removed." 
echo 
echo "Please read the documentation before proceeding." 
echo 
if ask "Continue?" "n"; then :; else 

die "Aborted. Your system was not modified." 

fi 

fi 


# bootloader configuration: grub needs no action, but if lilo is installed... 
/etc/sysconfig/bootloader 


case "SLOAD 














*1110%) 


esac 


log 
log 
log 
log 
log 
log 
die 


VI 


VI 


ER TYPE" in 


"Your system uses lilo to load the kernel on system startup." 

"The evaluated configuration does not support lilo as bootloader." 
"It is necessary that you install the grub bootloader and configure" 
"it so that your system will boot safely. The lilo bootloader will" 
"either be removed automatically during the further processing of" 
"this script, or you remove the package yourself (rpm -e lilo)" 

"The script stops here." 


$ rebuild the rpm database first before touching any packages: 
if confirm "Running rpm --rebuilddb before package removal."; then 
rpm --rebuilddb 


else 


log "rpm --rebuilddb was aborted." 


ti 


# package removal first. 


ALLINSTALL 








EDPACKAGES= “rpm -qa --gueryformat-' $ (NAME)Xn” ` 











logn "installed packages on the system: SALLINSTALLEDPACKAGES" 














PREREQPACKAGES=‘cat $lib/packagelist.required' 








ALLCERTIFI 





ALLTOL 











EDPACKAGES='"cat $lib/packagelist.eal3' 


ERATEDPACKAGES=‘cat $lib/packagelist.tolerated' 





pack_to_be_removed="" # reminder... 

















for packreg in ŠPREREOPACKAGES; do 
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packisok="" 
for packinst in SALLINSTALLEDPACKAGES; do 
if [ "Spackinst" = "Spackreq" ]; then 
packisok="Spackinst" 
fi 
done 
if [ -z "Spackisok" ]; then 


die "Required prerequisite package ' Spackreg' missing, aborting." 
fi 
done 


for packinst in SALLINSTALLEDPACKAGES; do 
packisok="" 
for packeal3 in SALLCERTIFIEDPACKAGES SALLTOLERATEDPACKAGI 
if [ "Spackeal3" = "Spackinst" ]; then 
packisok="Spackinst" 
































Gl 
un 
n 


do 








fi 
done 
if [ -z "Spackisok" ]; then 
pack to be removed-"Spack to be removed Spackinst" 
fi 
done 


pack to be removed=*echo Spack to be removed* 

if [ ! -z "Spack to be removed" ]; then 
log "I want to remove the following packages:" 
log "Spack to be removed" 


if confirm "Removing these RPMs from the system."; then 
logn "running: rpm -e Spack to be removed" 
rpm -e Spack to be. removed || die "rpm package removal was unsuccessful. \ 
Please do it manually. You can find the list of packages to be removed in the logí 
else 
log "removal of packages has been aborted" 
failure=1 
fi 
fi 


# need the correct architecture - checking the ’glibc’ arch via rpm doesn't 

$ work on ppc64, since it returns 'ppc'. Use plain 'arch' which gets the right 
$ result. Determining compatible RPMs is done below. 

arch=‘arch* 





installed kernel-'rpm -qf --gueryformat=' ${NAME}\n’ /boot/vmlinuz tail -1' 
if [ -z "Sinstalled_kernel" ]; then 
# that didn’t work, plan B... 
# There’s not /boot/vmlinuz on iSeries. 
installed kernel=*rpm -qa --queryformat=’%{NAME}\n’ \ 
| egrep "5 (k |kernel)” | egrep -v "tools| source” | tail. 
fi 
[ -z "Sinstalled kernel" ] && die "Can't figure out the installed kernel version. Givinc 
logn "installed kernel is: Sinstalled kernel" 








AuditModule-"Sbase/lib/kernel/modules/Sarch/Sinstalled kernel/audit.o" 
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ModuleDest=*rpm -ql Sinstalled kernel | grep audit.o tail sl 


if [ -f "SAuditModule" J; then 
if confirm "Install updated audit kernel module."; then 
old $ModuleDest 
cp -v $AuditModule $ModuleDest || die "Can't install audit.o module." 


log "If you rebuild the kernel, please apply the patches in Sbase/lib/kernel/." 
fi 
else 
log "Updated kernel module ŠAuditModule not found - wrong architecture or version." 
log "If you build your own kernel, please apply the patches in Sbase/lib/kernel/." 
fi 


# package installation: 
# Get all files compatible with the architecture from the rpm directory 


case "Sarch" in 





1386) 

archpacks=Sbase/rpm/*i386.rpm 
i486) 

archpacks=Sbase/rpm/*i[34]86.rpm 
1586) 

archpacks=Sbase/rpm/*i[345]86.rpm 
1686) 

archpacks=Sbase/rpm/*i[3456]86.rpm 
*) dE 

archpacks=Sbase/rpm/*Sarch.rpm 
esac 


# Install the packages, and check for any that need special handling. 


for pack in Sarchpacks; do 
[ ! -f "Spack" ] && break 





name of package-'rpm -qp --gueryformat=' 3{NAME}\n’ Spack* 
logn "running: rpm --checksig $pack (package name: Sname of package)" 
rpm --checksig $pack > /dev/null 2>81 


if [ "S$?" = 0 ]; then 
logn " Spack sigcheck ok" 
case "Sname of package" in 
k_*) 
if [ "Sname of package" = "Sinstalled kernel" ]; then 
packstoinstall="Spackstoinstall $pack" 
ti 
iF 
glibc*) 


die "glibc upgrade not supported. Use service pack to do that." 
iF 
33 


packstoinstall-"Spackstoinstall $pack" 
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ri 
esac 
else 
die "checksig: package signature check for package $pack failed." 
ET 
done 


if [ "Spackstoinstall" ]; then 
log "I want to install all packages from Sbase/rpm." 
log "The list of packages is Spackstoinstall" 


if confirm "Installing these packages."; then 
logn "running: rpm --oldpackage --force --nodeps -Uhv Špackstoinstall" 
rpm --oldpackage --force --nodeps -Uhv Spackstoinstall || die "rpm package installat 





Please do it manually. The package list can be found in $LOGFILE" 
else 
log "Installation of packages aborted." 
failure=1 
fä 
fi 


# runlevel link removal: 
if confirm "Removing all runlevel links from /etc/init.d/rc3.d."; then 
( cd /etc/init.d/rc3.d; rm -f * nosuchfileordirectory_dummy ) 
log "all runlevel symlinks removed." 
else 
log "Removal of runlevel symlinks aborted." 
failure=1 
fi 





PERMITTED_SERVICES=‘cat Sbase/lib/permitted services' 
logn "permitted services: SPERMITTED SERVICES" 
if confirm "Making links in /etc/init.d/rc3.d for all allowed services."; then 
for service in SPERMITTED SERVICES: do 
logn "insserv /etc/init.d/$service" 
insserv /etc/init.d/$service 
done 
log "new runlevel symlinks created." 
else 
log "new runlevel symlink creation in /etc/init.d/rc3.d aborted." 
failure=1 
fi 


















































for file in ‘cd Sbase; find etc -type f`; do 

if confirm "Replacing the file /$file."; then 
logn "running: replace $file" 
replace $file 

else 
log "replacement of file /$file aborted." 
failure=1 

fi 
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done 


if confirm "Installing new and updated manpages."; then 
log "Replacing manpages from $base/man to system paths." 
cd Sbase/man 
find . -type f -printO | xargs -0 tar cf - | (cd /usr/share/man ; N 
tar xfvvp -) 
logn "manpages replaced." 
else 
log "Replacing of manpages from $base/man to system paths aborted." 
failure=1 
fi 


# permissions of files: 


if confirm "Removing setuid/setgid bits from all files in the system."; then 
output=‘find / -type f \( -perm +4000 -o -perm +2000 \) -printo | \ 
xargs -0 chmod -v -s 2>41' 
log "Soutput" 
else 
log "setuid/setgid bit removal aborted." 
failure=1 
fi 


if confirm "Setting permissions according to /etc/permissions.eal3."; then 
logn "running: chkstat -set /etc/permissions.eal3" 
chkstat -set /etc/permissions.eal3 
log "Permissions are set (/etc/permissions.eal3)" 

else 
log "setuid and setgid bits setting aborted (/etc/permissions.eal3)" 
failure=1 

fi 


# default runlevel: 
if confirm "Changing default runlevel to 3."; then 
logn "changing default runlevel to 3" 
awk "/“id:.:initdefault:S/ { 
print "id:3:initdefault:"; next; } 
(print $0; }’ < /etc/inittab > /etc/inittab.new 
logn "running: old /etc/inittab" 
old /etc/inittab 
logn "running: mv /etc/inittab.new /etc/inittab" 
mv /etc/inittab.new /etc/inittab 
else 
log "initdefault change to 3 aborted." 
failure=1 
bootfail=1 
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if [ -x /sbin/zipl ]; then 
if confirm "Run ’zipl’ to update the boot loader configuration?"; then 
zipl 
fi 
fi 
# finally: 
if [ -z "$bootfail" -a -z "$failure" ]; then 
log "Reconfiguring the system to the evaluated configuration is complete." 
log "It is now necessary to reboot the system." 
if confirm "Rebooting the system."; then 
log "rebooting the system now. Sleeping for 10 seconds..." 
exec 42>&- # close logfile... 
sleep 10 
logn "running: /sbin/init 6" 
/sbin/init 6 
echo "Waiting to be killed..." 
sleep 600 
else 
log "reboot aborted. Please note that the system must be rebooted for" 
log "the configuration to be complete." 
failure=1 
fi 
fi 


7.4 The file /etc/permissions.eal3 














# /etc/permissions.eal3 

# 

# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. 
# 

# Author: Roman Drahtmueller <draht@suse.de>, 2003 

# 

+ 

# See /etc/permissions for general hints on how to use this file. 

+ 

# This file is based on /etc/permissions.secure as shipped with SLES8. 
$ It has been adapted to the needs of the EAL3 evaluation which disables 
# a few more SUID programs. 

# It still contains a lot more definitions than the minimal package set 
# for the EAL3 evaluation, but those don’t hurt in here. 

# 

# 

# Directories 

# 

# closed: 

/usr/lib/ircd irc.root 700 

# No games: 

/var/X11R6/scores root.root 0750 


/var/catman man.root 755 
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/var/cron root.root 700 
/var/spool/cron root.root 700 
/var/cron/tabs root.root 700 
/var/spool/cron/tabs root.root 700 
/var/lib/gdm gdm.shadow 750 
/var/lib/xdm/authdir root.root 700 
/var/lib/xdm/authdir/authfiles root.root 700 
/var/lock root .uucp 775 
# closed; see "easy" 

/var/man2html root.root 0755 
# no lock files for emacs: 

/var/state/emacs/lock root.trusted 1775 
/var/state/xemacs/lock root.trusted 1775 
/var/lib/xemacs/lock root.trusted 1775 
/var/squid squid.root 755 
/var/squid/cache squid.root 755 
/var/squid/logs squid.root 755 
# 

# /etc 

# 

/etc/crontab root.root 600 
/etc/exports root.root 600 
/etc/fstab root.root 600 
/etc/ftpaccess root.root 600 
/etc/ftpconversions root.root 600 
/etc/ftpusers root.root 600 
/etc/HOSTNAME root.root 644 
/etc/hosts root.root 644 
# Changing the hosts_access(5) files causes trouble with services 





# that do not run as root! 


/etc/hosts.allow root.root 644 
/etc/hosts.deny root.root 644 
/etc/hosts.equiv root.root 644 
/etc/hosts.lpd root.root 644 
/etc/inetd.conf root.root 600 
/etc/inittab root.root 600 
/etc/issue root.root 600 
/etc/issue.net root.root 600 
/etc/ld.so.conf root.root 644 
/etc/ld.so.cache root.root 644 
/etc/login.defs root.root 600 
/etc/motd root.root 644 
/etc/mtab root.root 600 
/etc/rmtab root.root 600 
/etc/services root.root 644 


# changing the global ssh client configuration makes it unreadable 
# and therefore useless. Keep in mind that users can bring their own client! 


/etc/ssh_config root.root 644 
/etc/sshd_config root.root 640 
/etc/ssh_host_key.pub root.root 644 
/etc/ssh_host_key root.root 600 


/etc/ssh_random_seed root.root 600 
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/etc/ssh_known_hosts 
/etc/ssh/ssh_host_key 
/etc/ssh/ssh_host_key.pub 
/etc/ssh/ssh_random_seed 
/etc/ssh/ssh_config 
/etc/ssh/sshd_config 
/etc/syslog.conf 
/etc/termcap 


# sysconfig files: 
/etc/sysconfig/network/providers 


# 

# suid system programs that need the suid bit to work: 
# 

/bin/su root. 
/usr/bin/sul root. 
# disable at and cron for non-root users 
/usr/bin/at root. 
/usr/bin/crontab root. 
/usr/bin/gpasswd root. 
/usr/bin/newgrp root. 
/usr/bin/passwd root. 
/usr/bin/chfn root. 
/usr/bin/chage root. 
/usr/bin/chsh root. 
/usr/bin/expiry root. 
# NIS+: "trusted" only. 

/usr/bin/chkey root. 


# the default configuration of the sudo package in SuSE 


# intimidate users. 
/usr/bin/sudo 
/usr/sbin/suexec 
/usr/sbin/su-wrapper 

+ opie password system 
/etc/opiekeys 
/usr/bin/opiepasswd 
/usr/bin/opiesu 


root. 
root. 
root. 
root. 
root. 
root. 
root. 
root. 


root. 


root 
root 
root 
root 
root 
root 
root 
root 


root 


trusted 
root 


trusted 
trusted 
trusted 
root 
shadow 
shadow 
shadow 
shadow 
shadow 


trusted 





ay 


644 
600 
644 
600 
644 
640 
600 
644 


700 


4750 
0711 


4755 
4755 
4755 
0755 
4755 
4755 
4755 
4755 
0755 


0755 
distribution is to 


# "user" entries in /etc/fstab make mount work for non-root users: 


/usr/bin/ncpmount 
/usr/bin/ncpumount 


# mount/umount have had their problems 


/bin/mount 
/bin/umount 
/usr/bin/fdmount 
/usr/bin/ziptool 
/bin/eject 


# sendmail calls the wrapper as daemon.daemon: 


/usr/lib/majordomo/wrapper 

# glibc backwards compatibility 
/usr/lib/pt_chown 
/usr/1ib64/pt_chown 
/sbin/pwdb_chkpwd 


root.root 0755 
root.root 0755 
root.root 0755 
root.root 600 
root.root 0755 
root.root 0755 
root.trusted 0755 
root.trusted 01:55 
already: 

root.root 0755 
root.root 0755 
root.root 0755 
root.trusted 0755 
root.audio 0755 
root .daemon 0755 
root.root 0755 
root.root 0755 
root.shadow 0755 
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/sbin/unix_chkpwd root.shadow 0755 
/sbin/unix2_chkpwd root.shadow 0755 
# gpopper 

/usr/sbin/popauth pop.root 0755 
# from the sguid package 

/usr/sbin/pam auth root.shadow 0755 


# utempter: See bottom of /etc/permissions: 
/usr/sbin/utempter root.tty 2755 


# 

# log files that do not grow remarkably 

# 

/var/log/faillog root.root 600 
/var/log/lastlog root.tty 644 


# 

# mixed section: most of it is disabled in this permissions.secure: 

# 
de 
# rpm subsystem: 














/usr/src/packages/ SOURCES root.root 700 
/usr/src/packages/BUILD root.root 700 
/usr/src/packages/RPMS root.root 700 
/usr/src/packages/RPMS/alpha root.root 700 
/usr/src/packages/RPMS/alphaev56 root.root 700 
/usr/src/packages/RPMS/alphaev67 root.root 700 
/usr/src/packages/RPMS/alphaev6 root.root 700 
/usr/src/packages/RPMS/arm41 root.root 700 
/usr/src/packages/RPMS/athlon root.root 700 
/usr/src/packages/RPMS/1386 root.root 700 
/usr/src/packages/RPMS/1486 root.root 700 
/usr/src/packages/RPMS/1586 root.root 700 
/usr/src/packages/RPMS/1686 root.root 700 
/usr/src/packages/RPMS/ia64 root.root 700 
/usr/src/packages/RPMS/mips root.root 700 
/usr/src/packages/RPMS/ppc root.root 700 
/usr/src/packages/RPMS/ppc64 root.root 700 
/usr/src/packages/RPMS/powerpc root.root 700 
/usr/src/packages/RPMS/powerpc64 root.root 700 
/usr/src/packages/RPMS/s390 root.root 700 
/usr/src/packages/RPMS/s390x root.root 700 
/usr/src/packages/RPMS/sparc root.root 700 
/usr/src/packages/RPMS/sparcv9 root .root 700 
/usr/src/packages/RPMS/sparc64 root .root 700 
/usr/src/packages/RPMS/x86. 64 root.root 700 
/usr/src/packages/RPMS/mips root.root 700 
/usr/src/packages/RPMS/armv41 root.root 700 
/usr/src/packages/RPMS/noarch root.root 700 
/usr/src/packages/SPECS root.root 700 
/usr/src/packages/SRPMS root.root 700 


# 
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# mostly from series beo: 
# see customs (8), export(1) and pmake (1) 








/usr/bin/pmake root.root 0755 
/usr/bin/export root.root 0755 
/usr/bin/make root .root 0755 
# Portable Batch System (PBS) (beo) 

/usr/sbin/pbs_rcp root.root 0755 
/usr/sbin/pbs_iff root .root 0755 
# queue (beo) 

/usr/bin/queue root.root 0755 
# clusterit (beo) 

/usr/bin/dsh root .root 0755 
# das: 

/usr/bin/gmod root .root 0755 
/usr/bin/dgs. options root .root 0755 
/usr/bin/gconf root.root 0755 


# wants root for realtime scheduling policy class 
# we better let it complain - on an idle machine it has no effect anyway. 








/opt/rtsynth/RTSynth root .root 0755 
# same here: package muse 

/usr/bin/muse root .root 0755 
# AX.25, NETROM, ROSE and TCP node frontend 

/usr/sbin/node root .root 0755 


dd 


# executor, Mac-simulator: 





/opt/executor/bin/executor-demo-svga root.root 0755 
# Amiga-emulator 

/usr/bin/suae root.root 0755 
# stonx: atari emulator, svgalib: 

/usr/bin/sstonx root.root 0755 
# atari800 emulator 

/usr/bin/atari800 root .root 0755 
# z81 emulator 

/usr/bin/z8ltxt root.root 0511 
# package adamem (Z80 based ColecoVision and ColecoADAM emulator) 
/usr/X11R6/1ib/adamem/cvem root .root 0755 
/usr/X11R6/1ib/adamem/adamem root .root 0755 
# video 

/usr/X11R6/bin/v4l-conf root .video 0755 
/opt/gnome/bin/zapping_setup_fb root .video 0755 
# vmware 

/usr/bin/vmware.bin root .trusted 0755 
/usr/bin/vmware-ping root .root 0755 
# iBCS2 binary emulator 

/shlib/protlib_s.emu root.root 755 
/shlib/protlib_s.debug root.root 755 
/shlib/libnsl_s.emu root.root 755 
/shlib/libnsl s.debug root .root 755 


de 
# netatalk printer daemon: 


/usr/sbin/papd root.lp 0755 
# package cysched: 
/opt/synchronize/linux/bin/synchrod root .root 0755 


/opt/synchronize/linux/bin/websyncd root .root 0755 
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# scotty: 

/usr/bin/ntping root .trusted 0755 
/usr/bin/straps root .trusted 0755 
/sbin/cardctl root.trusted 0755 
# use it as root if you must: 

/usr/X11R6/bin/dga root .root 0755 
screen savers: 

# xlock and xlockmore have helper programs that do this job now: 
/usr/X11R6/bin/xlock root .root 0755 
/usr/X11R6/bin/xlock-mesa root .root 0755 
/usr/X11R6/bin/xscreensaver root .root 0755 
# This is not extensively tested. 

/usr/bin/vlock root . shadow 0755 
/usr/X11R6/bin/XFree86 root .root 0711 
/usr/X11R6/bin/Xwrapper root .root 0755 
/usr/X11R6/bin/xemacs root .root 0755 
/usr/bin/emacs root.root 0755 
/usr/bin/man root .root 0755 
/usr/bin/mandb root .root 0755 
# turned off write and wall by disabling sgid tty: 
/usr/bin/wall root.tty 0755 
/usr/bin/write root.tty 0755 


# linked against svgalib. Make it suid root if you want users to be 
# able to use xaos on the console or keep it safe as this: 


/usr/bin/xaos root.root 0755 
# needs suid root for console font switches: 
/usr/bin/kon.bin root .trusted 0755 
# thttpd: sgid + executeable only for group www. Useless... 
/usr/bin/makeweb root . www 2750 
# ham series, package wampes: Disabled suid root 
/usr/bin/bbs root .root 0755 
# ham series, package dpbox 

/usr/bin/dpgate dpbox.localham 0755 
# sane package: disabled suid root. 

/usr/bin/as6edriver root.root 0755 
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. 
/usr/bin/yaps root .uucp 0755 
# ncpfs tool: trusted only 

/usr/bin/nwsfind root .trusted 0750 
/usr/bin/ncplogin root .trusted 0750 
/usr/bin/ncpmap root .trusted 0750 
# dvisvga package: disabled suid root (for libvga) 
/usr/bin/dvisvga root .root 0755 


# maildrop package: change the permissions to the default from the 
# rpm package (0755) if you have to use it. Default to deliver mails 


= 


# on a SuSE system is procmail. 





/usr/bin/maildrop root.mail 0755 
/usr/bin/dotlock root.mail 0755 
# video editor. package mainactr, series pay 
/opt/MainActor/MainActor root.root 0755 
/opt/MainActor/MainView root .root 0755 
# conferencing system: some buffer overflows in there... 
/usr/bin/bayonne_wrapper root.root 7:55 


# lpdfilter 
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/usr/lib/lpdfilter/bin/runlpr root .root 0755 

# disabled by default in SuSE distributions: make it 4755 if you need it. 
/usr/bin/suidperl root .root 0755 

# also disabled (libforms, libX11) reenable it by setting it 4755: 
/usr/X11R6/bin/cardinfo root .root 0755 

# if smail is installed: 

/usr/sbin/smail root.root 0555 


# phoenix, commercial package 
# The package won’t work with these files closed. 


/usr/lib/phoenix/License root .root 644 
/usr/lib/phoenix/basic/address.txt root .root 644 
# apcupsd shouldn’t need suid root 

/sbin/apcupsd root.root 1:99 
/usr/sbin/apcupsd root.root 755 
# gnokii nokia cellphone software 

/usr/sbin/mgnokiidev root .uucp 755 
# plptools, palm pilot connectivity 

/usr/sbin/plpnfsd root .trusted 0750 
# pep, performance co-pilot 

/usr/share/pcp/bin/pmpost root.trusted 0755 
# mailman mailing list software 
/usr/lib/mailman/cgi-bin/admin root .mailman 0755 
/usr/lib/mailman/cgi-bin/admindb root .mailman 0755 
/usr/lib/mailman/cgi-bin/archives root .mailman 0755 
/usr/lib/mailman/cgi-bin/edithtml root .mailman 0755 
/usr/lib/mailman/cgi-bin/handle_opts root .mailman 0755 
/usr/lib/mailman/cgi-bin/listinfo root .mailman 0755 
/usr/lib/mailman/cgi-bin/options root .mailman 0755 
/usr/lib/mailman/cgi-bin/private root .mailman 0755 
/usr/lib/mailman/cgi-bin/roster root .mailman 0755 
/usr/lib/mailman/cgi-bin/subscribe root .mailman 0755 
/usr/lib/mailman/mail/wrapper root .mailman 0755 














# apache frontpage extensions, disabled in secure and paranoid 
/usr/lib/frontpage/version4.0/apache-fp/_vti_bin/fpexe root.root 0755 


/usr/sbin/fpexec root .root 0755 
/usr/sbin/validate root .root 0755 
# sapdb; setuid root in permissions.easy 
/opt/sapdb/depend/pgm/dbmsrv root.root 0755 
/opt/sapdb/depend/pgm/lserver root.root 0755 
# 

# networking (need root for the privileged socket) 

# 

/bin/ping root .root 4755 
/bin/ping6 root .root 0755 
/usr/bin/bing root.trusted 0755 
# new traceroute program by Olaf Kirch does not need setuid root any more. 
/usr/sbin/traceroute root.root 0755 
/usr/sbin/traceroute6 root.root 0755 


# mtr is linked against ncurses. 
/usr/sbin/mtr root .dialout 0755 
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/usr/bin/rcp root .root 0755 
/usr/bin/rlogin root.root 0755 
/usr/bin/rsh root .root 0755 


# ssh is not suid here any more. If a user needs the rsh fallback feature, 
# she should use /usr/bin/rsh. 











/usr/bin/ssh root .root 0755 
# ham radio 

/var/mtrack/locfile root .root 0644 
/var/mtrack/satfile root .root 0644 
/usr/bin/kamplus root.localham 0750 
/usr/bin/endhost root .localham 0750 
/etc/kamrc root.localham 664 
/var/lib/kamplus root.localham 775 
/var/lib/kamplus/parms root.localham 775 
/var/lib/kamplus/cg root.localham 664 
/var/lib/kamplus/messages root.localham 664 
/var/lib/kamplus/helpfile-gt root.localham 664 
/var/lib/kamplus/capture.txt root.localham 664 
/var/lib/kamplus/parms/tnc.parms root.localham 664 
/var/lib/kamplus/parms/home root.localham 664 
/var/lib/kamplus/parms/away root.localham 664 
/usr/bin/kam-gt root.localham 750 
+ 

# dialup networking programs 

# 

/usr/sbin/dip root.dialout 0755 
/usr/sbin/pppd root.dialout 0750 
/usr/sbin/cinternet-wwwrun wwwrun.dialout 0750 
/usr/sbin/pppoe-wrapper root.dialout 0750 
/var/run/smpppd root.dialout 750 
/var/lib/smpppd root.root 700 
/etc/ppp root.dialout 750 
/etc/ppp/chap-secrets root.root 600 
/etc/ppp/pap-secrets root .root 600 
/etc/pppoed.conf root.root 600 
/etc/smpppd.conf root.root 600 
/etc/smpppd-c.conf root.dialout 640 
# 141 package: 

/usr/sbin/isdnctrl root .uucp 0750 
/usr/sbin/isdnbutton root.trusted 0755 
/usr/bin/vboxbeep root.trusted 0755 
+ 


$ linux text console utilities 

# since svgalib has vanished, only the mc cons.saver is left. 
+ 

/usr/lib/mc/bin/cons.saver root .root 0755 
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Ak dk de dk e Se 


# screen 


binaries. 
moved to /etc/permissions, 


terminal emulators 
This and future SuSE products have support for the utempter, a small helper 
program that does the utmp/wtmp update work with the necessary rights. 

The use of utempter obsoletes the need for sgid bits on terminal emulator 
but all other terminal emulators have 
with modes set to 0755. 





. multi-user mode needs suid root 


/usr/bin/screen 


We mention screen here, 


(4755). 
root. 


root 


72 


discouraged... 


0755 


# this still uses the old /dev/ttypX terminal files. Needs 


# suid root to chown the tty. 


/usr/X11R6/bin/xwawi 

# same here: 
/usr/X11R6/bin/c16term 

# framebuffer terminal emulator 
# in "easy". 

/usr/bin/jfbterm 

/usr/bin/newvc 

/usr/bin/fld 


# 

# former 
# 

/usr/X111 
/usr/X11 
/usr/X11 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X11 
/usr/X11 
/usr/X111 
/usr/X111 
/usr/X11 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X111 
/usr/X11 
/usr/X11 
/usr/X111 
/usr/X111 
/usr/X11 
/usr/X111 
/usr/X111 
/usr/X111 


suid programs 


R6/bin/seyon 
R6/bin/SuperProbe 
R6/bin/XBF_NeoMagic 
R6/bin/XF86_8514 
R6/bin/XF86_AGX 
R6/bin/XF86_1128 
R6/bin/XF86_Mach32 
R6/bin/XF86_Mach64 
R6/bin/XF86_Mach8 
R6/bin/XF86_Mono 
R6/bin/XF86_P9000 
R6/bin/XF86_S3 
R6/bin/XF86_S3V 
R6/bin/XF86_SVGA 
R6/bin/XF86_VGA16 
R6/bin/XF86_W32 
R6/bin/XFCom_3DLabs 
R6/bin/XFCom_Cyrix 
R6/bin/XFCom_Rendition 
R6/bin/XFCom_SiS 
R6/bin/XSuSE_AT3D 
R6/bin/XSuSE_Elsa_GLoria 
R6/bin/XSuSE_Mat rox 
R6/bin/XSuSE_NVidia 
R6/bin/XSuSE_Tseng 
R6/bin/xcpustate 
R6/bin/xload 
R6/bin/xosview.bin 














Gl Fl 





Gl 





/usr/X111 


R6/bin/xosview 


/usr/bin/cu 


root. 
(Japanese). 


root 
root 
root 


root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 


Should do without, 
root. 


tty 


tty 


Most scary... 


-tty 
. root 
- root 


-uucp 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
- root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 
- root 
. root 
. root 


0755 


0755 
Compare modes 


0755 
0755 
0755 


0755 
1909 
755 
1:95 
755 
755 
755 
199 
755 
755 
755 
755 
755 
755 
139) 
755 
199 
755 
755 
755 
755 
755 
755 
755 
755 
755 
755 
139 
755 
755 
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/usr/bin/cdrecord 
/usr/bin/elm 
/usr/bin/filter 
/usr/bin/deliver 
/usr/bin/lockfile 
/usr/bin/minicom 
/usr/bin/mutt 
/usr/bin/procmail 
/usr/sbin/atrun 
/usr/bin/mh/inc 
/usr/bin/mh/msgchk 


kde+kde2 


the helper programs) 


Se de e e Se 


# arts wrapper, normally suid root: 
/opt/kde3/bin/artswrapper 
/opt/kde2/bin/artswrapper 


root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 


. root 
. root 
. root 
. root 
. root 
.UUCp 
. root 
. root 
. root 
. root 
. root 


755 
755 
755 
755 
755 
1:99 
755 
755 
755 
199 
755 


(all of them are disabled in permissions.secure except for 


# set this to suid root (4755) if you're running shadow via NIS: 


/opt/kde3/bin/kcheckpass 

# getting group id disk means root. 
/opt/kde3/bin/kscd 

# This has a meaning: 
/opt/kde3/bin/kdesud 
/opt/kde2/bin/kdesud 

# devpts obsoletes this: 
/opt/kde3/bin/konsole. grantpty 
/opt/kde2/bin/konsole. grantpty 
/opt/kde3/bin/kreatecd rootwrapper 
/opt/kde2/bin/kpac_dhcp_helper 
/opt/kde3/bin/kpac_dhcp_helper 
/opt/kde2/bin/kradio 
/opt/kde2/bin/kwintv 

# kdemultimedia3-sound, gift 
/var/cache/gift 
/var/cache/cddb 
/var/cache/cddb/blues 
/var/cache/cddb/classical 
/var/cache/cddb/country 
/var/cache/cddb/data 
/var/cache/cddb/folk 
/var/cache/cddb/ jazz 
/var/cache/cddb/misc 
/var/cache/cddb/newage 
/var/cache/cddb/reggae 
/var/cache/cddb/rock 
/var/cache/cddb/soundtrack 





See 


root.root 0755 
root.root 0755 
root.shadow 0755 
modes of disk device 
root.disk 0755 
root .nogroup 2755 
root .nogroup 2155 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .video 0755 
root . video 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root .root 0755 
root.root 0755 
root .root 0755 
root .root 0755 
root .root 0755 


# xmcd database, open only in permissions.easy 


files! 
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/var/lib/xmcd/discog root .root 755 
/var/lib/xmcd/discog/Blues root.root 755 
/var/lib/xmcd/discog/Blues/General Blues/index.html root.root 644 
/var/lib/xmcd/discog/Classical root .root 755 
/var/lib/xmcd/discog/Classical/General Classical/index.html root.root 644 
/var/lib/xmcd/discog/Country root .root 755 
/var/lib/xmcd/discog/Country/General_Country/index.html root.root 644 
/var/lib/xmcd/discog/Data root .root 755 
/var/lib/xmcd/discog/Data/General Data/index.html root.root 644 
/var/lib/xmcd/discog/Folk root .root 755 
/var/lib/xmcd/discog/Folk/General_Folk/index.html root.root 644 
/var/lib/xmcd/discog/Jazz root .root 755 
/var/lib/xmcd/discog/Jazz/General Jazz/index.html root.root 644 
/var/lib/xmcd/discog/Newage root .root 755 
/var/lib/xmcd/discog/Newage/General_Newage/index.html root.root 644 
/var/lib/xmcd/discog/Rock root .root 755 
/var/lib/xmcd/discog/Rock/General Rock/index.html root.root 644 
/var/lib/xmcd/discog/ Soundtrack root .root 155 
/var/lib/xmcd/discog/Soundtrack/General Soundtrack/index.html root.root 644 
/var/lib/xmcd/discog/Unclassifiable root .root 155 
/var/lib/xmcd/discog/Unclassifiable/General_Unclassifiable/index.html root.root 644 
/var/lib/xmcd/discog/World root .root 755 
/var/lib/xmcd/discog/World/Reggae root.root 755 
/var/lib/xmcd/discog/World/Reggae/index.html root.root 644 
/var/lib/xmcd/discog/index.html root .root 644 

+ 

+ amanda 

+ 

# Well, if you are gid disk already, you don’t need these amanda binaries 
# to get root. 

# Anyway, we don’t keep the suid bits. 

/usr/sbin/amcheck root.disk 0750 
/usr/lib/amanda/calcsize root.disk 0750 
/usr/lib/amanda/rundump root .disk 0750 
/usr/lib/amanda/planner root .disk 0750 
/usr/lib/amanda/runtar root .disk 0750 
/usr/lib/amanda/dumper root .disk 0750 
/usr/lib/amanda/killpgrp root .disk 0750 

# 

# ingres 

# all suid and sgid bits cleared. 

/usr/ingres/bin root .root 0755 
/usr/ingres/bin/creatdb root .root 0751 
/usr/ingres/bin/destroydb root .root 0751 
/usr/ingres/bin/helpr root .root 0751 
/usr/ingres/bin/ingconv root.root 0751 


/usr/ingres/bin/ingres root .root 0751 
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/usr/ingres/bin/printadmin 
/usr/ingres/bin/printr 
/usr/ingres/bin/purge 
/usr/ingres/bin/restore 
/usr/ingres/bin/sysdump 
/usr/ingres/bin/sysmod 
/usr/ingres/bin/sysmodfunc 
/usr/ingres/bin/univingres 
# :—) 
/usr/ingres/bin/usersetup 


/opt/tngfw/ingres/utility/csreport 


/opt/tngfw/secu/bin/cadatefmt 
/opt/tngfw/cadb/system/cadb_sut 
/opt/tngfw/cadb/system/dbserver 
/opt/tngfw/wv/bin/create_repository 


/opt/tngfw/wv/bin/fwrpt 
/opt/tngfw/wv/bin/dscvrbe 
/opt/tngfw/wv/bin/carxwvdg 
/opt/tngfw/wv/bin/discwiz 


/opt/tngfw/wv/bin/tools scripts 


/opt/tngfw/wv/bin/emrport 
/opt/tngfw/wv/bin/emrpt 


/opt/tngfw/wv/bin/logonserver.exe 


/opt/tngfw/wv/bin/dscvrone 


/opt/tngfw/wv/bin/dscvrbe stop 


/opt/tngfw/cal 


# 
# yard 


# all suid and sgid bits cleared. 


/usr/lib/YARD/bin/yardarch 
/usr/lib/YARD/bin/yardck 
/usr/lib/YARD/bin/yardd 
/usr/lib/YARD/bin/yardflush 
/usr/lib/YARD/bin/yardinit 
/usr/lib/YARD/bin/yardlog 
/usr/lib/YARD/bin/yardsrv 
/usr/lib/YARD/bin/yardstat 
/usr/lib/YARD/bin/yarduser 








R 
R 
R 
R 
R 
R 
R 
R 


# 

# gnats 

# 
/usr/lib/gnats/gen-index 
/usr/lib/gnats/pr-edit 
/usr/lib/gnats/queue-pr 


# 

# news (inn) 

# 

# suid root bits cleared. 


root 
root 
root 
root 
root 
root 
root 
root 


root 


. root 
- root 
. root 
. root 
. root 
. root 
. root 
. root 


- root 


ingres.sys 
/opt/tngfw/ingres/files/iipwd/ingvalidpw.dis 


root 
root 


root. 


root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 


root 
root 
root 
root 
root 
root 
root 
root 
root 


ingres.sys 
. root 
. root 
sys 
. root 
. root 
. root 
. root 
- root 
. root 
. root 
. root 
. root 
. root 
. root 
. root 


«yard 
«yard 
«yard 
«yard 
«yard 
«yard 
«yard 
«yard 
«yard 


gnats.root 
gnats.root 
gnats.root 


0751 
0751 
0751 
0751 
0751 
0751 
0751 
0751 


0700 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 

755 


0750 
0750 
0750 
0750 
0750 
0750 
0755 
0755 
0555 


4555 
4555 
4555 
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/usr/lib/news/bin/rnews 


/usr/lib/news/bin/startinnfeed 
/usr/lib/news/bin/inndstart 


/usr/lib/news/bin/inews 


# 
+ fax 
# 


news 
root 
root 
news 


.UUCP 
«news 
«news 
«news 


$ restrictive, only for "trusted" group users: 


/var/spool/fax/outgoing 


/var/spool/fax/outgoing/locks 


/var/spool/fax/archive 
/var/spool/fax/bin 
/var/spool/fax/client 
/var/spool/fax/config 
/var/spool/fax/dev 
/var/spool/fax/docg 
/var/spool/fax/doneg 
/var/spool/fax/etc 
/var/spool/fax/info 
/var/spool/fax/log 
/var/spool/fax/pollg 
/var/spool/fax/recvg 
/var/spool/fax/sendg 
/var/spool/fax/status 
/var/spool/fax/tmp 


# 

# tex 

# 
/var/texfonts/pk/deskjet 
/var/texfonts/pk/gsftopk 
/var/texfonts/pk 
/var/texfonts 


# 

# uucp 

# 
/var/spool/uucppublic 
/var/spool/uucp 
/usr/bin/uucp 
/usr/bin/uuname 
/usr/bin/uustat 
/usr/bin/uux 
/usr/lib/uucp/uucico 
/usr/lib/uucp/uuxgt 


/var/lib/uucp/taylor config/call 
/var/lib/uucp/taylor. config/passwd 


/var/log/uucp 


root 
root 
root 
root 


root 


root.trusted 
root.trusted 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 


uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 


. root 
. root 
. root 
. root 


.UUCP 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 
uucp. 


uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 
uucp 


0755 
0755 
0755 
0755 


1770 
1770 
700 
755 
1.99 
755 
755 
700 
700 
755 
755 
755 
700 
755 
700 
755 
700 


0775 
0775 
0775 
0775 


1770 
199 
0555 
0555 
0555 
0555 
0555 
0555 
440 
440 
159 
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# 

# games of all kinds, toys 

# all suid and sgid bits cleared. 

# 

# directories: 

/var/games games.games 0775 
/var/games/sasteroids games.games 0775 
/var/games/xbl games.games 0775 
/var/games/sail games.games 0775 
/var/games/phantasia games.games 0775 
/var/games/kugel-scorefile games.games 0664 
/var/games/kjewelscore games.games 0664 
/var/games/xgalaga/scores games . games 0664 
/var/games/xsok games.games 0775 
/var/games/xsok/Cyberbox.score games.games 0664 
/var/games/xsok/Sokoban.score games.games 0664 
/var/games/xsok/Xsok.score games.games 0664 
/var/games/xbill/scores games.games 0664 
/var/games/geki2.scores games .games 0664 
/var/games/grande.scores games . games 0664 
# svgalib: 

/usr/games/abuse.console root.root 0755 
# SpaceBoom: not in SuSE-7.1 any more: 
/usr/games/SpaceBoom/SpaceBoom root.root 0755 
/usr/games/synaesthesia root.root 0755 
/usr/games/sasteroids root .games 0755 
/usr/games/snake games.games 0755 
/usr/games/wtf games .games 0755 
/usr/games/trek games .games 0755 
/usr/games/cribbage games .games 0755 
/usr/games/arithmetic games . games 0755 
/usr/games/quiz games . games 0755 
/usr/games/backgammon games.games 0755 
/usr/games/banner games.games 0755 
/usr/games/canfield games.games 0755 
/usr/games/wargames games.games 0755 
/usr/games/fish games.games 0755 
/usr/games/tetris-bsd games . games 0755 
/usr/games/apxserver games.games 0755 
/usr/games/huntd games.games 0755 
/usr/games/hunt games.games 0755 
/usr/games/rot13 games . games 0755 
/usr/games/boggle games.games 0755 
/usr/games/pig games.games 0755 
/usr/games/worms games.games 0755 
/usr/games/robots games.games 0755 
/usr/games/yahtzee games.games 0755 
/usr/games/Maelstrom games.games 0755 
/usr/games/monop games.games 0155 
/usr/games/random games.games 0755 
/usr/games/cfscores games.games 0755 
/usr/games/number games.games 0755 
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/usr/games/mille 
/usr/games/ppt 
/usr/games/adventure 
/usr/games/morse 
/usr/games/battlestar 
/usr/games/sail 
/usr/games/rain 
/usr/games/countmail 
/usr/games/factor 
/usr/games/caesar 
/usr/games/wump 
/usr/games/snscore 
/usr/games/gomoku 
/usr/games/pom 
/usr/games/bin/cfsndserv 
/usr/games/bin/cfclient 
/usr/games/bin/gcfclient 
/usr/games/bin/crossfire 
/usr/games/hangman 
/usr/games/dm 

/usr/games/atc 
/usr/lib/nethack/nethack.gtk 
/usr/lib/nethack/nethack.tty 
/usr/lib/nethack/nethack.qt 
/usr/1ib64/nethack/nethack.gtk 
/usr/lib64/nethack/nethack.tty 
/usr/lib64/nethack/nethack.gt 
+ falconseye 
/usr/lib/nethack/nethack.fe 
/usr/1ib64/nethack/nethack.fe 
/usr/games/primes 
/usr/games/phantasia 
/usr/games/bcd 
/usr/games/worm 
/usr/games/teachgammon 
/usr/games/chromium 
/usr/games/crossfire 
/usr/games/geki2 
/usr/games/grande 
/usr/games/xscrab 
/usr/bin/ltris 
/usr/bin/xlogical 
/usr/bin/lbreakout 
/usr/bin/lbreakout2 

# dlx descent 
/usr/share/games/d1x/d1x143sh 
/usr/X11R6/bin/mirrormagic 
/usr/X11R6/bin/xboing 
/usr/X11R6/bin/xboingrp 
/usr/X11R6/bin/xbombs 
/usr/X11R6/bin/xgalaga 
/usr/X11R6/bin/tophextris 
/usr/X11R6/bin/xtetris 
/usr/X11R6/bin/xhextris 











gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 





es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 


.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 





es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 


games . games 
games.games 
games.games 


gam 


gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 


gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 
gam 





es. 


es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 


es 
es 
es 
es 
es 
es 
es 
es 
es 


gam 


.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 
.gam 





es 


games . games 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 
. gam 


es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 
es 


es 
es 
es 
es 
es 
es 
es 
es 
es 


0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 


0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 


0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
0755 
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/usr/X11R6/bin/cxhextris 
/usr/X11R6/bin/xdigger 
/usr/X11R6/bin/xkobo 
/usr/X11R6/bin/xmris 


/usr/X11R6/bin/xb1 


/usr/X11R6/bin/battalion 
/usr/X11R6/bin/rocksndiamonds 





# gnome-g 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 
/opt/gnom 





# lprng 
# FIXME: 
/usr/bin/ 
/usr/bin/ 
/usr/bin/ 
/usr/bin/ 





# 
# postfix 


/usr/sbin/postdrop 
/usr/sbin/postqueue 


ames 


e2/bin/gtali 
e2/bin/gnotski 
e2/bin/gnome-stones 
e2/bin/glines 
e2/bin/gnibbles 
e2/bin/iagno 
e2/bin/gnotravex 


e/bin/sol 


e/bin/gturing 
e/bin/gnome-xbi11 
e2/bin/mahjongg 
e2/bin/gnometris 
e/bin/ctali 
e2/bin/gnobots2 
e2/bin/gnomine 
e2/bin/same-gnome 
e/bin/freecell 
e/bin/GnomeScott 
e/bin/gataxx 
e/bin/soundtracker 
e/bin/gewels 
e/bin/gnect 


setuid root is bad - setgid lp 


lpg 
lpr 
lprm 
lpstat 








games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0155 
games . games 0755 
games . games 0755 
games .games 0755 
games .games 0755 
games .games 0755 
games .games 0755 
games .games 0755 
games .games 0755 
games .games 0755 
games . games 0755 
games .games 0755 
games . games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
games.games 0755 
root.root 0755 
games.games 0755 
games.games 0755 


should be sufficient... 


root.lp 
root.lp 
root.lp 
root.lp 


root .maildrop 
root .maildrop 


# Security configuration and old passwords 


/etc/secu 


/etc/security/opasswd 


/usr/lib/ 
/etc/news 
/etc/uucp 


# Audit configuration and log files 


/etc/audi 


/etc/audit/audit.conf 


rity 


news 


t 


root.root 0755 
root.root 0600 
root.root 0750 
root.root 0750 
root.root 0750 
root.root 0700 
root.root 0600 


2755 


2755 
2755 


2755 
2195 
2755 
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/etc/audit/filter.conf root.root 0600 
/etc/audit/eal3files.conf root.root 0600 
/var/log/audit root.root 0600 
/var/log/audit.d root.root 0700 


7.5 The file /etc/init .d/audit 


$! /bin/sh 

# Copyright (c) 2003 SuSE Linux AG, Nuernberg, Germany. 
# 

# Author: Olaf Kirch <okir@suse.de> 
# 

# /etc/init.d/audit 

# 

### BEGIN INIT INFO 

# Provides: audit 

Required-Start: 

Required-Stop: 

Default-Start: 2 3 5 

Default-Stop: 0 1 6 

Description: Start audit subsystem 
## END INIT INFO 











de dk dk e e Se 





# Set defaults and read admin preferences 
AUDIT_ALLOW_SUSPEND=1 

AUDIT_ATTACH_ALL=0 
AUDIT_MAX_MESSAGES=1024 

AUDIT_PARANOIA=0 














test -s /etc/sysconfig/audit && \ 
/etc/sysconfig/audit 


AUDITD_BIN=/sbin/auditd 








# FIXME: use shell daemon and kill system on auditd failure ?! 


# ppc special case - use 64-bit binary on ppc64 

# 

if [ ‘arch’ = 'ppc64' ];then 
AUDITD_BIN=/sbin/auditd64 





fi 


# ppc special case #2 - we may be running a 32bit shell (arch==ppc) 
# but the auditd was launched from a 64bit shell (arch==ppc64). 


# binary name in that case (also for other 64-bit platforms) 

# 

if ps ax | grep -v grep | grep auditd64 >/dev/null; then 
AUDITD_BIN=/sbin/auditd64 





fi 


test -x SAUDITD_BIN || exit 5 





Fix up the 


80 


7 APPENDIX 81 
# Shell functions sourced from /etc/rc.status: 

# rc_check check and set local and overall rc status 

# rc_status check and set local and overall rc status 

+ rc status -v ditto but be verbose in local rc status 

# rc status -v -r ditto and clear the local rc status 

# rc_failed set local and overall rc status to failed 

# rc_failed <num> set local and overall rc status to <num><num> 

# rc_reset clear local rc status (overall remains) 

+ rc exit exit appropriate to overall rc status 


/etc/rc.status 


# First reset status of this service 
rc_reset 





# Return values acc. to LSB for all commands but status: 
# 0 — success 
# 1 — generic or unspecified error 
# 2 — invalid or excess argument (s) 
# 3 — unimplemented feature (e.g. "reload") 
# 4 - insufficient privilege 
# 5 - program is not installed 
# 6 — program is not configured 
# 7 — program is not running 
# 
# Note that starting an already running service, stopping 
# or restarting a not-running service as well as the restart 
# with force-reload (in case signalling is not supported) are 
# considered a success. 
configure_module () { 
if /sbin/lsmod | grep audit >/dev/null; then :; else 


case 


/sbin/modprobe audit 2>/dev/null 
sleep 1 
fi 
echo 
echo 
echo 
echo 


SAUDIT_ALLOW_SUSPEND > /proc/sys/dev/audit/allow-suspend 
SAUDIT_ATTACH_ALL > /proc/sys/dev/audit/attach-all 
SAUDIT. MAX MESSAGES > /proc/sys/dev/audit/max-messages 
SAUDIT PARANOIA > /proc/sys/dev/audit/paranoia 














"si" in 


start) 


echo -n "Starting audit subsystem" 

## Start daemon with startproc(8). If this fails 
## the echo return value is set appropriate. 
configure_module 

/sbin/startproc SAUDITD_BIN || return-$rc failed 





# give auditd some time to initialize, so that auditing 
# is active when the script is done. 


sleep 1 


# Remember status and be verbose 


rc status -v 
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ri 
inittab) 
* not intended for interactive use; this mode 
# is for running auditd from /etc/inittab, i.e.: 
# au:35:/etc/init.d/audit inittab 
configure_module 
SAUDITD_BIN -F 2>>/var/log/auditd.log 





iF 

stop) 
echo -n "Shutting down audit subsystem" 
/sbin/killproc -TERM $AUDITD_BIN 








# Remember status and be verbose 
rc_status -v 
ri 
try-restart) 
## Stop the service and if this succeeds (i.e. the 
## service was running before), start it again. 
## Note: try-restart is not (yet) part of LSB (as of 0.7.5) 
$0 status >/dev/null && $0 restart 





# Remember status and be quiet 
rc_status 
ri 
restart) 
## If first returns OK call the second, if first or 
HH second command fails, set echo return value. 
$0 stop && $0 start || return-Src failed 
ri 
force-reload) 
## Signal the daemon to reload its config. Most daemons 
## do this on signal 1 (SIGHUP). 
## If it does not support it, restart. 


echo -n "Reload audit configuration" 
configure_module 
killproc -HUP SAUDITD_BIN 





rc_status 
ri 
reload) 
echo -n "Reload audit configuration" 
configure_module 
killproc -HUP SAUDITD_BIN 





# If it supports signalling: 
#killproc -HUP SAUDITD_BIN 
#touch /var/run/FOO.pid 

#rc status -v 





# Otherwise if it does not support reload: 
rc failed 3 
rc status -v 


vv 
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status) 
echo -n "Checking for audit daemon: " 
## Check status with checkproc(8), if process is running 
## checkproc will return with exit status 0. 


0 - service running 

1 - service dead, but /var/run/ pid file exists 
2 - service dead, but /var/lock/ lock file exists 
3 - service not running 








# NOTE: checkproc returns LSB compliant status values. 
checkproc SAUDITD_BIN 
rc status -v 





vv 


echo "Usage: $0 {start |stop|status try-restart|restart force-reload|reload}" 
exit 1 


7.6 The file /etc/audit/audit.conf 


# kernel interface 
device-file = "/dev/audit"; 


# filter config 
filter-config = "/etc/audit/filter.conf"; 


# Standard output method is bin mode. 


# 
output { 
mode = bin; 
num-files = 4; 
file-size = 20M; 
file-name = "/var/log/audit.d/bin"; 
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C"; 


# The following symlink is created whenever we switch to 
# a new bin. 
current = "/var/log/audit"; 





# force a disk flush after each record? This slows things 
# down greatly, but helps preserve records in case of a crash. 
sync = no; 


error { 
action { 
type = suspend; 
y; 
yi 
yi 
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# Alternatively, write to /var/log/audit in normal 
# append mode 

# output { 

# mode = append; 

# file-name = "/var/log/audit"; 

# sync = yes; 

# Ji 

# Alternative output 

# output ( 

# mode = stream; 

# command = "/usr/local/sbin/send_to_syslog" 
# Ji 


Disk usage thresholds. 
These thresholds are checked at regular intervals when 
append mode is used. 
(bin mode doesn't reguire these checks as the bin files 
are preallocated). 
threshold disk-space-low ( 
space-left = 10M; 
action ( 
type = syslog; 
facility = security; 


Se dk e e Se 


priority = warning; 
y 
action ( 
type = notify; 
command = "/usr/local/bin/page-admin"; 
y 
action ( 
type = audit; 
event = AUDIT_disklow; 
y 
y 


threshold disk-full ( 
space-left = 20K; 
action ( 
type = syslog; 
facility = security; 
priority = crit; 
y; 
action { 
type = audit; 
event = AUDIT_diskfull; 
y; 
y; 


7.7 The file /etc/audit/filter.conf 


# 
# This is a sample filter.conf file. 
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# Please take a look at filesets.conf first if you 

# wish to customize what system calls will be logged. 

# 

# The syntax of this file is described in filter.conf(5). 
# 

# 

# Various primitive predicates 

predicate is-null = eq(0); 
predicate is-negative = 1t (0); 

predicate is-system-uid = 1t (100); 
predicate is-lower-1024 = lt (-1024); 

+ 

$ Predicate to check open (2) mode: true iff 

# (mode & O_ACCMODE) == O_RDONLY 

predicate is-rdonly = mask (0 ACCMODE, O RDONLY) ; 
+ 


$ Predicates for testing file type, valid when applied 
# to a file type argument 








predicate __isreg = mask(S_IFMT, S_IFREG); 
predicate __isdir = mask(S_IFMT, S_IFDIR); 
predicate __ischr = mask(S_IFMT, S_IFCHR); 
predicate __isblk = mask(S_IFMT, S_IFBLK); 
predicate __issock = mask(S_IFMT, S_IFSOCK); 
predicate __islnk = mask(S_IFMT, S_IFLNK); 
predicate s_isreg = __isreg(file-mode) ; 
predicate s_isdir = __isdir(file-mode); 
predicate s_ischr = __ischr(file-mode); 
predicate s_isblk = __isblk(file-mode); 
predicate s_issock = __issock(file-mode); 
predicate s islnk =  islnk(file—mode): 
predicate is-tempdir = mask (01777, 01777); 
predicate is-world-writable = mask (0666, 0666); 

# 

# Predicates dealing with process exit code 

predicate if-crash-signal = 


Imask (__WSIGMASK, 0) 
&& (mask(__WSIGMASK, __WSIGILL) | | 
mask (__WSIGMASK, __WSIGABRT) | | 
mask (__WSIGMASK, __WSIGSEGV) || 
mask (__WSIGMASK, __WSIGSTKFLT) ) 





E 

















+ 

$ Predicates for audit-tags 

predicate is-o-creat = mask(O_CREAT, O_CREAT); 
predicate is-ipc-remove = eq(IPC_RMID); 

predicate is-ipc-setperms = eq(IPC_SET); 

predicate is-ipc-creat = mask(IPC_CREAT, IPC_CREAT); 
predicate is-auditdevice = prefix("/dev/audit"); 
predicate is-cmd-set-auditid = eq (AUIOCSETAUDITID) ; 
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predicate is-cmd-set-loginid = eq(AUIOCLOGIN); 

predicate is-audit-setfilter = eq(113); 

predicate is-audit-log = prefix("/var/log/audit.d") ; 
+ 

# Misc filters 

filter is-root = is-null (uid); 
filter is-setuid = is-null (dumpable) ; 

filter syscall-failed = is-negative(result); 
filter syscall-addr-succeed = is-lower-1024 (result); 
predicate is-af-packet = eq(AF_PACKET); 

predicate is-af-netlink = eg(AF NETLINK) ; 

predicate is-sock-raw = eg(SOCK RAW); 

+ 

# Include filesets. 

+ 


include "eal3files.conf"; 


+ 

# "Secret" files should not be read by everyone - 

# we also log read access to these files 

+ 

$ predicate is-secret = prefix(Gsecret-files); 


+ 

# All regular files owned by a system uid are deemed sensitive 

+ 

predicate is-system-file = is-system-uid(file-uid) 
&& ! (prefix("/var") | | prefix("/tmp") ) 
&& !is-world-writable(file-mode) ; 


# 

# Define ioctls we track 

# 

set sysconf-ioctls = { 

SIOCADDDLCI, 

SIOCADDMULTI, 

SIOCADDR 
SIOCBONDCHANGEACTIVE, 
SIOCBONDENSLAVE, 

D 
D 


























SIOCBON 
SIOCBON 
SIOCDARP, 
SIOCD 
SIOCD 
SIOCD 
D 
D 
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SIOCSIFBR, 
SIOCSIFBRDADDR, 
SIOCSIFDSTADDR, 
SIOCSIFENCAP, 
SIOCSIFFLAGS, 
SIOCSIFHWADDR, 
SIOCSIFHWBROADCAST, 
SIOCSIFLINK, 
SIOCSIFMAP, 
SIOCSIFMEM, 
SIOCSIFMETRIC, 
SIOCSIFMTU, 
SIOCSIFNAME, 
SIOCSIFNETMASK, 
SIOCSIFPFLAGS, 
SIOCSIFSLAVE, 
SIOCSIFTXQLEN, 
SIOCSMITREG 
y; 
predicate is-sysconf-ioctl = eg(Gsysconf-ioctls) ; 
# 
# System calls on file names 
# 
set file-ops = { 
"mkdir", "rmdir", "unlink", 
"chmod", 
"chown", "lchown", 
"chown32", "lchown32", 
y; 
$ 
# General system related ops 
# 
set system-ops = { 
swapon, swapoff, 
create_module, init_module, delete_module, 
sethostname, setdomainname, 
y; 
set priv-ops = { 


"setuid", 
"setuid32", 
"seteuid", 
"seteuid32", 
"setreuid", 
"setreuid32", 
"setresuid", 
"setresuid32", 
"setgid", 
"setgid32", 
"setegid", 
"setegid32", 
"setregid", 
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"setregid32", 
"setresgid", 
"setresgid32", 
"setgroups", 
"setgroups32", 
"capset", 

yi 


# 


# Audit-Tags (only syscall related tags are handled here) 


# 
# define sets of syscalls related to audit-tags 


# System calls for changing file modes 
set mode-ops = { 
"chmod", 
"fchmod", 
y; 


# System calls for changing file owner 

set owner-ops = { 
"chown", "lchown", 
"chown32", "lchown32", 
"fchown", 


y; 


# System calls doing file link operations 
set link-ops = ( 
"link", "symlink", 


y; 


# System calls for creating device files 
set mknod-ops = { 
"mknod", 


y; 


# System calls for opening a file 


set open-ops = { 
"open", 
y; 
# File renaming 
set rename-ops = { 
"rename", 


y; 


# File truncation 
set truncate-ops = { 
"truncate", "truncate64", 
"ftruncate", "ftruncate64", 
yi 
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# Unlink files 


set 


y; 


unlink-ops = { 
"unlink", 


# Deletion of directories 


set 


y; 


rmdir-ops = { 
"rmdir", 


# Mounting of filesystems 


set 


y; 


mount-ops = { 
"mount", 


# Unounting of filesystems 


set 


y; 


umount-ops = { 
"umount", 
"umount2" 


# Changing user (-role) 


set 


y; 





userchange-ops = { 

"setuid", 
"setuid32", 
"seteuid", 
"seteuid32", 
"setreuid", 
"setreuid32", 
"setresuid", 
"setresuid32", 


$ Execute another program 


set 
y; 
# Set real 


set 


Ig 


execute-ops = { 
"execve", 

user-ID 

realuid-ops = { 
"setuid", 
"setuid32", 


# Set user-IDS in gerneral 


set 


setuserids-ops = { 

"setuid", 
"setuid32", 
"seteuid", 
"seteuid32", 
"setreuid", 
"setreuid32", 
"setresuid", 
"setresuid32", 
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y; 


# Set real group-ID 

set realgid-ops = { 
"setgid", 
"setgid32", 
"setgroups", 
"setgroups32", 

}; 


# Set group-IDs in gerneral 

set setgroups-ops = { 
"setgid", 
"setgid32", 
"setegid", 
"setegid32", 
"setregid", 
"setregid32", 
"setresgid", 
"setresgid32", 
"setgroups", 
"setgroups32", 

y; 


# Set other kind of privileges (capabilities) 
set privilege-ops = { 

"capset", 
}; 


# Change system-time 

set timechange-ops = { 
"adjtimex", 
"stime", 
"settimeofday", 

}; 


dd 
dd 
li 
## 

## Here come the settings that trigger events 

tt 

## 


# bring sets and tags in conjunction 


tag "FILE_mode" 
syscall @mode-ops = always; 





tag "FILE_owner" 
syscall @owner-ops = always; 


# tag "FILE_link" 
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# syscall @link-ops = always; 





tag "FILE_mknod" 
syscall @mknod-ops = always; 


#tag "FILE_create" 


#syscall open = is-o-creat (argl); 
#tag "FILE_create" 
#syscall creat = always; 


#tag "FILE open" 
#syscall @open-ops 


always; 





#tag "FILE open" 
#syscall @open-ops = (is-system-file(arg0) ss !(is-rdonly(argl))) 
+ || is-secret (arg0); 








#tag "FILE rename" 

#syscall @rename-ops = always; 
ttag "FILE truncate" 

#syscall @truncate-ops = always; 
#tag "FILE unlink" 

#syscall @unlink-ops = always; 
#tag "FS rmdir" 

#syscall @rmdir-ops = always; 
tag "FS mount" 

syscall @mount-ops = always; 
tag "FS umount" 

syscall Gumount-ops = always; 


# I think owner changing doesnt make much sense 
tag "MSG_owner" 
syscall msgctl = is-ipc-setperms (argl); 


tag "MSG_mode" 


syscall msgctl 


ll 


is-ipc-setperms(argl): 


tag "MSG delete" 
syscall msgctl = is-ipc-remove(argl)j 








tag "MSG create" 
syscall msgget = always; 





tag "SEM owner" 
syscall semctl 


ll 


is-ipc-setperms (arg2) ; 





tag "SEM_mode" 
syscall semctl 


ll 


is-ipc-setperms (arg2) ; 
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tag "SEM delete" 

syscall semctl = is-ipc-remove (arg2) ; 
tag "SEM_create" 

syscall semget = always; 

tag "SHM_owner" 


ll 


syscall shmctl 


"SHM_mode" 


tag 
syscall shmctl 


ll 


tag "SHM delete" 


syscall shmctl = 





is-ipc-remove (arg1) ; 











"SHM 


tag create" 
syscall shmget = 





always; 


tag "PRIV_userchange" 

syscall @userchange-ops = always; 
tag "PROC_realuid" 

syscall @realuid-ops = always; 


tag "PROC_auditid" 
syscall ioctl = (is-auditdevice (arg0) 


tag "PROC_loginid" 
syscall ioctl = (is-auditdevice (arg0) 





tag "PROC_setuserids" 

syscall Gsetuserids-ops = always; 
tag "PROC_realgid" 

syscall @realgid-ops = always; 
tag "PROC_setgroups" 

syscall Gsetgroups-ops = always; 
tag "PROC_privilege" 

syscall @privilege-ops = always; 
tag "PROC_privilege" 

syscall @priv-ops = always; 

tag "SYS_timechange" 

syscall @timechange-ops = always; 





tag "TCP_accept" 
syscall accept=always; 


tag "TCP_listen" 
syscall listen=always; 


is-ipc-setperms(argl): 


is-ipc-setperms(argl): 


&& is-cmd-set-auditid(argl)); 


&& is-cmd-set-loginid(arg1)); 
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tag "TCP_bind" 
syscall bind=always; 


# not required by CAPP 


# syscall ipc = always; 

syscall socket = is-af-packet (arg0) | | is-sock-raw(argl); 
syscall ioctl = is-sysconf-ioctl(argl); 

# 

# Special filters for process/termination 

event process-exit = if-crash-signal (exitcode) ; 

# 





# Events we want to log unconditionally: 
event network-config = always; 

event user-message = always; 

event process-login = always; 


predicate is-root-uid = eq(0); 

predicate is-non-root-uid = !eg(0); 

predicate is-audit-file = prefix("/var/log/audit.d"); 
predicate is-log-file = prefix("/var/log"); 
predicate is-toe-file = prefix(Gtoe db files); 
predicate is-toe-dir = prefix(Gtoe db dirs); 
predicate denied = eq (-13); 

predicate is-sysdir = prefix(Gsysdir-prefix); 
predicate cmd_trusted = prefix(Gtrusted prog); 
filter is-root-user = is-root-uid(login-uid); 

filter not-root-user = is-non-root-uid(login-uid) ; 
filter effectivenonroot = is-non-root-uid (uid); 

filter effectiveroot = is-root-uid (uid); 


tag "AUD file" 
syscall Gfile-ops = is-audit-log(arg0) ; 


tag "AUD file" 
syscall @open-ops = is-audit-log(arg0); 











tag "AUD file" 
syscall creat = is-audit-log(arg0); 


tag "Open_Denied" 
syscall open = denied(result) && (( not-root-user || effectivenonroot ) && is-sysdir (arc 


tag "CMD_SUGID" 
syscall execve = is-setuid; 


# tag "CMD_priv" 
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# syscall execve = is-system-uid (uid); 


tag "CMD_Trust" 
syscall execve = cmd_trusted(arg0) && effectiveroot; 


tag "TOE_file" 
syscall @file-ops = is-toe-file(arg0) | | is-toe-dir (arg0) ; 


tag "TOE file" 

syscall Gopen-ops = ((is-toe-file(arg0) | | (is-toe-dir(arg0))) && 
(!is-rdonly(arg1) || denied(result))) ; 

tag "TOE_file" 
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syscall open = ((is-toe-file(arg0) | | (is-toe-dir(arg0))) && is-o-creat (argl)); 





tag "TOE_file" 
syscall creat = is-toe-file(arg0) | | is-toe-dir(arg0); 


7.8 The file /etc/audit/eal3files.conf 


# TOE config file 

set toe_db_dirs = { 
"/etc/cron.d/", 
"/etc/cron.daily/", 
"/etc/cron.hourly/", 
"/etc/cron.monthly/", 
"/etc/cron.weekly/", 
"/etc/init.d/", 
"/etc/pam.d/", 
"/etc/sysconfig/", 
"/var/spool/atjobs/" 





y; 


# TOE databases 

set toe_db_files = { 
"/etc/at.deny", 
"/etc/audit/audit.conf", 
"/etc/audit/filter.conf", 
"/etc/audit/eal3files.conf", 
"/etc/crontab", 
"/etc/ftpusers", 
"/etc/group", 
"/etc/gshadow", 
"/etc/hosts", 
"/etc/inittab", 
"/etc/ld.so.conf", 
"/etc/login.defs", 
"/etc/modules.conf", 
"/etc/passwd", 
"/etc/securetty", 
"/etc/security/pam pwcheck.conf", 
"/etc/security/pam unix2.conf", 
"/etc/shadow", 
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"/etc/ssh/sshd_config", 
"/etc/stunnel/stunnel.conf", 
"/etc/vsftpd.conf", 
"/etc/xinetd.conf", 
"/usr/lib/cracklib_dict.hwm", 
"/usr/lib/cracklib dict.pwd", 
"/usr/lib/cracklib dict.pwi", 
"/etc/stunnel.pem", 
"/var/log/faillog", 
"/var/log/lastlog", 
"/var/spool/cron/tabs/root", 
"/var/spool/cron/allow", 
"/var/spool/cron/deny" 

y; 


$ Trusted programs 

set trusted prog = { 
"/bin/date", 
"/bin/login", 
"/bin/ping", 
"/bin/su", 
"/sbin/agetty", 
"/sbin/auditd", 
"/sbin/init", 
"/sbin/mingetty", 
"/usr/bin/amtu", 
"/usr/bin/at", 
"/usr/bin/chage", 
"/usr/bin/chfn", 
"/usr/bin/chsh", 
"/usr/bin/crontab", 
"/usr/bin/gpasswd", 
"/usr/bin/passwd", 
"/usr/sbin/stunnel", 
"/usr/sbin/atd", 
"/usr/sbin/audbin", 
"/usr/sbin/aucat", 
"/usr/sbin/augrep", 
"/usr/sbin/aurun", 
"/usr/sbin/cron", 
"/usr/sbin/groupada", 
"/usr/sbin/groupdel", 
"/usr/sbin/groupmod", 
"/usr/sbin/sshd", 
"/usr/sbin/useradd", 
"/usr/sbin/userdel", 
"/usr/sbin/usermod", 
"/usr/sbin/vsftpa", 
"/usr/sbin/xinetd" 

y; 


# system directories 
set sysdir-prefix = { 
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"/bin", 
"/boot", 
"/dev", 
"/etc", 
"/lib", 
"/opt", 
"/proc", 
"/root", 
"/sbin", 
"/usr", 
"/var/adm", 
"/var/log" 
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